From SolarWinds to Microsoft Exchange to phishing emails, businesses, governments, and ordinary people, no one is a stranger to cyber attacks these days. This is especially true considering statistics show a ransomware attack occurred every 10 seconds in 2020. Unfortunately, these attacks are continuing with no end in sight, even with the latest cyber attack prevention tools and procedures in place.
Recently, NetDiligence President, Mark Greisiger, and Ankura Senior Managing Director, Jason Straight, spoke about data breaches and the art of their detection, which Straight believes could ultimately play a more valuable role in threat intelligence and intervention, than prevention and response do.
And, taking it even further, making no immediate response when uncovering a potential threat should be a company’s first course of action. But, doesn’t that run counter to every protocol in place? Maybe not.
Why the Best Response to Data Breach Detection May Be No Response
It’s a good idea to first level-set the reality of the cyber threat situation. Greisiger explains that companies have great tools in place—such as multi-factor authentication—when accessing public facing systems, EDR (endpoint detection and response) systems, next generation AV (anti-virus) with AI (artificial intelligence) machinery, fire walls, and 24/7 monitoring.
However, Greisiger says, “Perimeter protection tools are falling at an alarming rate because they don’t necessarily take into account threats that come from their supply chain or service providers and vendors they trust. And they don’t recognize quiet threats masquerading as innocent functions that haven’t triggered any activity yet.”
Also, it’s practically impossible to stay ahead of cyber attacks when bad actors have plenty of financial incentive to design another threat. Straight agrees.
“Ransomware is an instantly monetized exploitation, which is probably the biggest motivation of all,” Straight says. “So, while prevention is ideal, it is unfortunately almost impossible to stay ahead of attacks. Detection is a must. Too many companies are stuck on prevention and not focusing on recognizing and responding effectively to threats. The reality is we need to act as if the threats are already inside.”
The Art Of Detection
“Unfortunately, there’s no easy button when it comes to cyber threat detection,” Straight says.
“It’s often messy, confusing work learning how to spot things that look unusual and also not jumping to immediate conclusions and investigating them.”
This creates a sort of gray world that is hard to control and uncomfortable for security professionals used to action. But, the security professional’s role is key, Straight explains.
“You’ll need the human factor along with the software and reports to understand the nuanced differences between connections to a new IP address to a country,” Straight says. “They look suspicious but might not always be. It might have been an employee visiting something they probably shouldn’t, but it wasn’t malicious ”
Monitoring and Logging Are Becoming More Important Cyber Tools
What may seem like monotonous, unnecessary work and even a step backward given the array of protection technology available to companies, monitoring and logging are now recognized for their invaluable role in cyber safety. This ensures you have a comprehensive baseline to compare against, which helps you understand what’s normal or what needs to be investigated.
Straight compares it to his car. “We may not be mechanics but we know when our car sounds or feels wrong to us because we’re in it all the time,” he says. “It’s obvious when it’s running differently. It’s the same when you’re monitoring. You spend so much time in the data that it becomes easier to sense when something isn’t right, rather than relying on technology to alert you. So know what is normal and be on alert for what is weird.”
But, the biggest change to today’s cybersecurity tools and procedures may just be to do nothing.
Watch and Wait First
Our instinct is to react when seeing something suspicious. But, give yourself time to analyze what you find to make sure you act correctly if necessary. You don’t want to tamper with evidence or trigger worse damages. This may mean that you could incur some smaller losses for the greater good. But, watching and waiting combined with monitoring and logging will give you a solid foundation to detect data breaches that infiltrate the best protections.
When asked what, if anything, an organization can do to up its detection game, Straight had three takeaways.
- Do the basics right.
- Define the baseline of what is normal and what is weird in the network
- Enable multi-factor authentication
- Make sure you invest in tools that are at least effective at blocking the most common threats
- Focus on cyber hygiene
- Have a patch management program
- Invest in an EDR system
- Select the most effective telemetry.
- Listen to your network and look at outbound connections, DNS (domain name system) traffic, and NTA (network traffic analytics)
- Understand, monitor, and log the data
- Get the right cybersecurity professionals.
- The industry is facing a severe shortage of talent, with three million unfilled positions
- Companies will have a hard time hiring and keeping these employees
- It’s wise to find a partner to help fill this expert gap
Straight mentions Ankura helps companies fill this gap by providing threat detection expert consultants. Companies benefit because these professionals do threat detection every day and are intimately familiar with network structure—when it sounds “off,” or when it’s running smoothly.
Watch the full video for Jason Straight’s story about a threat that wasn’t and more about data breach detection.
We thank Straight for speaking with us about data breaches and the art of detection. As Senior Managing Director and Chief Privacy Officer at Ankura, based in New York, Straight is a leader in the cybersecurity and privacy consulting practice and oversees Ankura’s internal data privacy program. He has extensive experience managing complex cybersecurity investigations and data breach events in a wide variety of industries involving a range of threat actors, including malicious insiders, organized criminal operations, and state-sponsored groups.