Businesses are constantly tasked with protecting, defending and monitoring ever-changing digital threats. As more and more attacks are successful, it is critical that we evolve the way we think about our approach to cybersecurity.
No matter the safeguards in place, hackers manage to find a way into enterprise and government environments. In this new cyber battleground, companies need to think and act more like the attackers.
Acting on the defensive--and waiting for our tech tools to alert us that something is amiss--does no good. The key is a good offense: stalking attackers and meeting them on their own playing field to stop them in their tracks.
To address these new realities, companies need to take a proactive approach to their security:
1. Prioritize your data
Hackers know what valuable data they are after - usually something valuable enough they can sell on the underground markets or for a ransom back to the company. This is important to understand when protecting your most valuable assets. As yourself what would fetch highest price, or what you would pay the most to get back and put it at the top of your list.
Also, use your own data to our advantage. Data allows the security team to study the users, systems and data streams that normally interact with it. With a clear, well-informed picture of what "normal" looks like on your network, you can tune into and direct threat intelligence to actively search for any activity that is "anomalous."
2. Abandon tradition
Hackers are not sitting around waiting for something to happen, and neither should you. Start with the assumption that an attacker has already gained access to the network, and proactively hunt them down. When we accept that relying on traditional perimeter monitoring is unlikely to detect many advanced threats, we also accept that it is likely someone has already penetrated the network. This isn't an indication of failure, it merely defines the realities of this new battleground.
3. Take immediate action to protect data and minimize business impact.
As soon as a new zero-day vulnerability is released on the market, hackers are using it to attack networks. However, too many security operations are not this quick. Many still practice a monitor-detect strategy that is reactive, not proactive. This over-reliance on technology to provide an alert has helped lead to the crippling time-to-detect of 150-200 days. Detection, when it finally happens, is too far down the kill chain.
Developing a plan of pre-approved actions allows security teams to respond immediately. You can use these advantages ahead of time to plan, validate and approve the actions you must take when (not if) malicious activity is detected. The sooner you respond to an attacker, the less likely it is that he/she will identify the data or cause the destruction that was intended.
Winning this new battle
Developing and maintaining a robust and effective security operation in today's threat landscape is no trivial task, and a shift in thinking is a critical first step. Detecting and responding effectively to today's attackers means putting the data you are protecting at the heart of the security operation and adopting a proactive approach.
The ultimate cost and consequence of a breach is closely tied to the average time between the break-in and the discovery of the intruder. The exact time varies, but attackers are often on a network for 150 to 200 days before detected, and sometimes they may go unnoticed for years.
Dangerous and sophisticated attacks are an unrelenting enemy for security teams everywhere. This is the new normal. And we must be agile and strategic enough to respond appropriately and immediately.