Cyber Resilience is more important than ever in 2024. In the past, hackers would mostly target large enterprises and organizations. Now new forms of attack — and hacks carried out on behalf of nation states — are putting organisations of all sizes at risk from cybercrimes that can easily turn the entire operation upside down.
That’s why all companies, no matter the niche or industry, should be constantly reviewing their cybersecurity priorities. Most businesses are investing their resources in prevention technologies and measures. As well as making sure these are in the best shape, you should also be bolstering your internal defences so you can detect and respond to potential threats, so you can minimise disruption to your business operations during adverse cyber conditions and when under attack. Here are 5 steps you can take to improve your business’s cyber resilience in 2024.
1. Invest in a Security Operations Centre (SOC) now.
Two key questions for any organisation are “How will we know if we’re under attack?” and “What will we do when it happens?” On average, it takes security teams around two months to detect a breach has taken place. During that time, attackers can move throughout the organisation, seeking out ways to take advantage of their access or cause significant damage.
A Security Operations Centre aims to minimise the time taken to detect breaches and to mount effective responses when they do occur. The SOC is responsible for protecting a company’s assets in all of their forms, from intellectual property to whole business systems. Staff in the SOC will implement a detailed cybersecurity strategy, based around prevention, monitoring, detection and response, and serve as the main collaborative point of defence against such attacks.
If your business has the funding to do so, investing in a SOC is one of the best ways to ensure you’re well prepared for today’s security threats. Given the breadth and nature of the advanced threats that are hitting all organizations and companies, thinking an SOC is unnecessary because “it won’t happen to us” is a dangerous path to tread.
Unfortunately, establishing an SOC is a very resource-heavy endeavour. LogRhythm, a market-leading provider of Security Information and Event Management (SIEM) solutions, has compiled an excellent whitepaper uk-how-to-build-a-soc-with-limited-resources-white-paper.pdf (logrhythm.com) that will give you some idea of the investment involved.If your company doesn’t have the resources to create an SOC, our other tips can still help you improve your cyber resilience.
2. Consider advanced technologies for detection and response
Moving beyond prevention, you should consider investing in technologies that can help you detect and respond to incidents and simplify security operation with automation and event prioritisation. These include:
- EDR – Endpoint Detection Response. This type of software monitors terminal devices, such as computers and mobile devices, rather than the system network. Moving beyond old-school anti-virus solutions, EDR will give advanced visibility and threat hunting and response capabilities. Although too limited to be used alone, EDR solutions can be a great tool to secure against threats from remote working.
- NDR – Network Detection and Response. This type of solution provides in-depth visibility into a system network in order to find common behaviours associated with hidden cyberattacks that target physical and virtual infrastructures. Because threats will end up on the network regardless of how they enter your system, NDR is a great way to gain full visibility across your entire estate, especially if you’re migrating to cloud services and using a combination of cloud and on prem infrastructure. Partnering NDR with EDR, especially if the two solutions integrate technically, can be a powerful combination, bolstering protection and reducing complexity.
- XDR – Extended Detection and Response. This is a newer technology that, by centralizing security data from different sources, improves detection capabilities beyond those of EDR.
- MDR – Managed Detection Response. This solution is usually provided by a security service vendor and operated by an SOC (either in-house or outsourced). It enables end-to-end monitoring of threats and is a great option for companies with sufficient budget that don’t want to implement a full-blown SOC.
- SIEM – Security Information and Event Management. This approach lets you view and manage your operations in terms of your business infrastructure. It allows you to create correlation rules that take into account your unique business needs and general security policies, in order to detect common threats. It doesn’t provide quite such comprehensive protection when used alone as when it’s used as part of a SOC but, in conjunction with EDR and NDR, it’s a great solution for aggregating, correlating and scoring information about threats in organisations that have the internal resources and skills needed to run it.
For organizations that are not yet at the right size or maturity to invest in a full SOC, it’s worth considering which of these advanced solutions would best improve their overall cyber resilience and whether the organisation has the internal resources to run them in house or if it would benefit from a managed service.
3. Make sure your SOC is managing not just monitoring
Even if you’ve invested in an SOC, you may still be struggling to identify when your organisation is under attack. You might not be picking up on business processes and user behaviours that are putting you at risk. Or you could be unable to respond quickly and effectively enough to prevent attackers from accomplishing their goals. The wealth of data and alerts generated by a comprehensive suite of detection and response tools can easily become overwhelming and make it impossible to identify what’s really happening and how you should respond.
Of course, as a first step, you need to make sure you really are seeing everything that’s going on. Gartner’s SOC visibility triad provides a framework for creating a comprehensive picture of user and entity behaviour, network traffic and endpoints in an organisation. Evaluating your current monitoring against the SOC visibility triad will help ensure you see, collect and combine activity over the organisation’s full spread of activities. It’s also a good way to identify any human factors that may be undermining your security measures: poorly configured technology, human error, patch delays, and staff simply not caring about security processes.
However, comprehensive monitoring is not enough on its own. You need to be able to turn the hundreds (or thousands) of alerts being generated by your monitoring systems each day into actionable insights that can be used by analysts in the SOC and by the wider business.
To take your SOC to this next level, where it’s not just a “monitoring centre”, you should consider investing in tools from vendors like Vectra and Cybereason that correlate and prioritise activity and alerts from multiple systems into a single end-to-end story. That allows analysts to quickly identify and work on real threats, rather than spending time on the “busy work” of dealing with — and dismissing — each separate alert while potentially missing the big picture.
The result is a virtuous circle: the sooner you can fix issues being flagged up by your detection systems, the fewer alerts you’ll see and the more time you can spend proactively hunting for threats. Junior analysts can take on more of the work of investigating issues and finding and implementing responses because they’re starting with a picture that would take a great deal of skill to build manually. Finally, it’s easier to gather evidence to take to the business about the security risks posed by their current ways of working, so they can make informed decisions about how to balance security measures against making it easy for employees to get their work done.
4. Consider implementing MITRE ATT&CK.
If your organization has decent security measures and policies in place, you should strongly consider implementing MITRE ATT&CK (MITRE Adversarial Tactics, Techniques, and Common Knowledge). This is a globally-accessible knowledge base of hacker tactics and techniques based on real-world observations. It provides a common model for hacker behaviour that reflects the phases of a hacker’s general attack lifecycle and the areas they are specifically known to target.
MITRE ATT&CK can be used as a framework to understand and categorise different hacker actions, and relate them to both defensive and offensive aspects of cybersecurity. Correctly implemented, it is a more effective way to defend against attacks than a static framework.Implementing MITRE ATT&CK will help ensure that the technology and tools your company currently has in place are working the way they were intended to, with optimum efficiency. It will also help you ensure your processes are focused on the specific risks you face. It can be used in conjunction with advanced cybersecurity solutions such as ATT&CK IQ, Cybereason, and Vectra, which are all designed to help you adopt MITRE’s advanced framework.
5. Leverage partners that have the best risk assessment and technical expertise.
Investing in relationships with a network of partners that have both substantial information assurance expertise and executive business leadership experience will help you deploy the technical solutions you’ve chosen so as to align closely with the specific risk and business outcomes of your organisation. You should therefore look for partners that have demonstratable enterprise project management experience, along with proof of technical delivery in complex environments.
Working with partners like these will allow you to reduce risk, integrate solutions from both a technical and workflow perspective, meet business objectives in the context of cybersecurity, and ensure that each technology solution you implement is being used efficiently, effectively and measurably as part of an overall cybersecurity strategy.
Our 5 tips suggest that many organisations are focusing too much of their cybersecurity resource and talent on prevention and not enough on detection and response. While prevention is important, balancing your resources across prevention, detection and response and developing appropriate capabilities in all three areas is a better way to optimise resources and bolster your overall cyber resilience.
To find out more about other ways you can optimise and boost your cyber resilience, download our white paper on People Inspired Cyber Resilience or come and talk to our team of experts.
Image source: istockphotos
