Sep 02 2020

How to Detect and Respond to Cybersecurity Attacks Faster

Proactive threat detection and response solutions are reducing hackers’ dwell times from months to minutes.

Cybersecurity professionals rarely rest easy. But Bruce Phillips, senior vice president and CISO for Williston Financial Group, says he’s been sleeping more soundly since deploying an advanced threat monitoring and vulnerability prevention solution to protect the company’s far-flung network of more than 1,800 devices in 90 offices throughout the Western U.S.

That’s because the system, based on the Falcon platform from CrowdStrike, is highly proactive, giving him more visibility into what’s happening in his network than he’s ever had before. The solution, he explains, doesn’t use the traditional method of identifying attack signatures but instead looks for “sequences of events” that show that an attack is likely underway.

“It doesn’t have to have previously seen the malware or the virus to be able to say, ‘This is bad,’” Phillips says. “It makes that judgment based on what the attack is doing in a process that, by definition or discovery or previous knowledge, is clearly anomalous and malicious.”

As a result, he can detect would-be malefactors before they gain access to his network. “We actually catch them in the act red-handed,” Phillips says. “And the way we’ve got the solution configured, if it sees an attack, it stops it and kills it right then and there and kicks up an alarm. Then we can go back and manually look at what happened and make sure that nothing was missed. That’s the advantage that we now have.”

WATCH: Learn how to protect 10,000 branches with a remote workforce.

Given the impossibility of preventing every breach, it’s become critical that businesses reduce the time it takes to detect and respond to any that occur. And most organizations are doing a poor job of that, according to the Ponemon Institute and IBM Security’s 2019 Cost of a Data Breach Report. The study found that last year, hackers’ average “dwell time” — how long they’re able to remain in a network before being detected — was 206 days.

By contrast, Phillips says, with an advanced threat monitoring system in place, his team is typically alerted and able to identify a breach in just 10 minutes.

“That’s the key: If you get compromised and you don’t know about it, you can’t respond,” he says. “But we know very, very quickly when something is going on, and then we can respond before any damage is done.”

Businesses Need the Right Security Tools at the Right Time

Proactive security solutions couldn’t come at a better time, especially for small businesses, as threat actors continue to acquire new skills while targeting small companies more frequently. In fact, 43 percent of attacks are now aimed at small businesses, according to Verizon’s 2020 Data Breach Investigations Report.

Small and even midsized businesses generally don’t employ dedicated security staff, says Christopher Kissel, a security research director for IDC. “It’s just not possible. So you’ve got a skills gap and a labor gap. Still, they need somebody (or in this case, something) to help them figure out the who, what, where, when and why of an event so they have the knowledge they need to respond quickly.”

CrowdStrike’s endpoint detection and response (EDR) solution includes access to Falcon OverWatch, a cloud-based security operations center that keeps tabs on the hundreds of thousands of devices in use by all of its customers. Thanks to the volume of data OverWatch analyzes, its algorithms see patterns and develop detection alerts for all kinds of malicious behavior and processes — not just what it sees at any one company.

$8 million

The average cost of a data breach for U.S. companies, more than double the worldwide average.

Source: Ponemon Institute and IBM Security, 2019 Cost of a Data Breach Report, July 2019

“With OverWatch, you not only get the technology and the knowledge that they’re constantly building on, but you also get a security analyst who is looking at what’s going on with your data and your network and telling you immediately if they see something abnormal,” Phillips says. “Then, if we get an alert, we use our EDR tool to go back and do some digging: ‘What happened around the time this detection occurred? Were there other subfiles written to the disk? Did it write anything into the registry? Is everything clean now, or not?’ It gives you a lot more confidence that everything has been properly remediated.”

The media evaluation and insight firm Comscore has applied proactive threat detection to its email security, which is still the most common entry point for hackers. The Reston, Va.-based company, which employs 1,700 people, does business with “clients and products that would usually be flagged as spam or malicious in some way,” explains Clayton Gibson, a senior enterprise messaging engineer with Comscore. “As a result, our email security has to be a little more lax than usual while also still being robust enough to keep our users shielded from legitimate threats.”

The security team deployed Barracuda Networks’ Total Email Protection bundle in combination with Barracuda Advanced Threat Protection, an integrated cloud-based service that analyzes traffic across all major threat vectors. Legitimate links are still sometimes obscured, Gibson says, but the solution provides enough flexibility that the security team can easily exempt those domains and senders from ATP.

“If a user does click a link, they are now taken to a secure site alerting them as to whether the link is safe or not, prior to getting to the actual site,” he explains. “So user exploitation has been considerably lower. In fact, we haven’t had an incident since we implemented the new solution.”

Advanced Analytics Is Key for Security

Increasingly, businesses are turning to new security tools that contain behavior analytics and automation to not only help identify malicious anomalies more quickly, but also understand the habits and behavior of their own employees, says John Pescatore, director of emerging security trends for the SANS Institute.

“There’s always a lot of hype around security products, just like anything else, but in the case of these latest tools that incorporate software algorithms to look for behaviors and add to that knowledge, they do work,” he says. “As an example, when a phishing attack is launched, there are certain Windows processes that first have to happen before the attack can succeed. These EDR and advanced threat monitoring solutions will immediately recognize that these processes are underway and act to stop the attack.”

Last year, Phillips bolstered Williston Financial Group’s security strategy by replacing its traditional anti-virus program with Falcon Prevent, a next-generation vulnerability prevention program that, like Falcon’s other tools, looks for indicators of compromise rather than attack signatures.

“We are doing everything we can to prevent the attacker from getting in, but we now have the tools to be able to respond if they do get in,” he says. “I feel very comfortable in being able to say, ‘I know what’s going on in my network today.’”