In July 2001, Counterpane Internet Security, a new start-up firm released their free monthly newsletter covering various topics related to computer security and cryptography. The primary focus of that edition was “Monitoring First” and the articles laid emphasis on the need to monitor networks and systems before anything else.
It recommended that companies need to shift their focus toward timely detection of malicious activity or compromise instead of investing heavily on prevention capabilities. According to the author, the deployment of security controls such as firewalls and intrusion detection system (IDS) is not enough. Configuration and monitoring the output of these devices is immensely important to detect any compromise in time.
The author of this article was none other than ‘security guru’, Bruce Schneier.
Many would still agree with Schneier 14 years later. Cyber related incidents have skyrocketed and if the industry statistics are to be believed, this is bound to continue. There have been cases when large global companies have been breached successfully – some even had ex-employees leading the attacks. In the latter scenario, preventive controls proved to be futile as the ex-employee was aware of the IT environment and means to bypass it.
As Chief Security Officers become more aware, there is now an increased focus toward detection and response. Companies have started gearing up to detect malicious activity and building their response capabilities. Detecting any compromise on the network in a timely manner is paramount. The first hour immediately following an incident, also known as the “golden hour” is critical to thwart a cyber-attack. The response shown during this hour can make or break the investigation later; or maybe even block the attack altogether.
In such a case, the attack could have been dodged if they were detected initially in the “golden hour”. However, the average time to detect an incident for the companies worldwide is still quite low. As per a Mandiant Threat Report 2015, this was 205 days.
So what could be some of the most efficient ways of detecting any cyber breach or compromise which can be used by the companies to their advantage?
As Bruce Schneier said, “You can’t defend. You can’t prevent. The only thing you can do is detect and respond”. Hopefully, it would not take another decade for companies to realise this and accept the fact they could get hacked. Time will be of essence and it will all come down to how quick are companies able to detect these threats and respond in effectively.