In the world of security, you can always count on one simple truth: you can’t respond to a threat that hasn’t been detected.
And with the increasing number of cybersecurity incidents, security leaders can’t risk not seeing the proverbial “needle in a haystack” threat that compounds into a much more serious security issue. Yet industry research by the Verizon Risk Team in the annual Data Breach Investigations Report indicates that 56% of eventual breaches take weeks or even months to develop and go undiscovered by InfoSec teams.
This means that security teams must see everything – even if it means dealing with the byproduct of managing too many security alerts.
Threat detection and the need for continuous endpoint visibility
Let’s consider the Target breach of 2013 as an example. Attackers accessed the Target network via a third-party vendor with an initial phishing email. Then, malware was used to compromise login credentials. Alerting technology correctly identified suspicious activity of hackers, but due to the “vast numbers of technical events,” the alert was missed by InfoSec team. The result? The compromise continued unaddressed and grew into a data breach, affecting information of some 70 million individuals.
As this example shows, threat detection is a first critical step on the path to maintaining enterprise security. If left unaddressed, compromise will continue to grow and fester in IT Networks until that compromise eventually escalates into a data breach. If sensitive data is stolen, brand trust is compromised, regulatory penalties are inbound, and the lengthy and difficult recovery process for the organization must begin.
Every compromise should be addressed, and any effort to get ahead of the resource and staffing concerns I shared in a previous blog will likely pay immediate and long-term dividends for security leaders in today’s climate. Obviously, security leaders should err on the side of caution and aim for 100% visibility and 100% detection of threats as a guiding principle and methodology. However, once your security team has maximum visibility and is detecting as close to 100% of potential threats as possible, there will be too many alerts. This is a necessary byproduct of visibility, but still an issue that needs attention because it creates an exorbitant amount of security events.
The great news is that technology exists to address these problems and help to alleviate the looming sense of concern and anxiety related to security event visibility and validation.
Fearless response with EnCase
While effective against legacy vulnerabilities, protective perimeter security technologies are not a guarantee of total threat prevention. When it comes to present cybercrime, advanced and targeted attacks are the primary means of inflicting damage. Advanced and targeted attacks often leverage campaign-style tactics, with extensive reconnaissance, multiple breach tactics, command and control with compromised credentials, privilege escalation and, eventually, data exfiltration. In other words, prevention technologies exist to address legacy vulnerabilities and are less effective against net-new, zero day, advanced and targeted attacks.
Savvy security leaders address zero-day threats, APT malware, theft by a privileged insider and nation-state sponsored attacks with Endpoint Detection and Response (EDR) technology like OpenText™ EnCase™ Endpoint Security.
EnCase Endpoint Security enables both experienced and junior members of Incident Response (IR) teams to confidently and comprehensively respond to threats—including legacy vulnerabilities, targeted external attacks and insider threats.
Encase Endpoint Security:
- Helps IR Teams avoid manual wipe and reimage with surgical, over-the-wire remediation
- Is simplified for confident use by Tier I security analysts
- Amplifies the abilities of expert power-users with suggested workflows and builders for junior personnel
- Easily integrates with adjacent security technologies for maximum operational efficiency
- Helps IR teams prioritize alert response with embedded threat intelligence and context
- Enables IR teams to fully assess advanced and targeted attacks with a comprehensive DFIR/Tier III feature-set
Learn more about how you can respond fearlessly and recover forensically with OpenText EnCase Endpoint Security in our latest whitepaper, Fearless Response with OpenText EnCase. You can also read more about the SANS Institute research and learn how to address the skills shortage in security in my previous blog posts, and join me at Enfuse to learn how to meet the changing needs of the enterprise security landscape.