3 tips to improve threat detection and incident response

The big question is no longer how to prevent attacks, but how to be effective and agile when an incident occurs

3 tips to improve threat detection and incident response
Thinkstock

No matter the height or thickness of any wall you might try to build, the unfortunate reality is someone will most likely be able to breach it. It’s really just a matter of when and how.

Just as you close your doors and windows when you leave the house, you need  preventative security measures in place to protect your systems. However, these measures themselves are not enough. If you assume the bad guys will find a way to breach your protective walls, it makes more sense to focus on threat detection and incident response as ways to mitigate damage when the inevitable breach occurs.

3 security controls to improve threat detection

The following three security controls are surefire ways to strengthen the detective capabilities of your system.

1. Know your assets

If someone asked you to list the internet-connected devices in your home and estimate the data storage capacities of these gadgets, could you provide an accurate answer? Chances are high that you would not be able to account for all of them. A home is a relatively small, contained environment; just imagine how much more of a challenge it is for organizations to fully identify assets they own and know where all of their data lives. If you also factor in all of the additional devices that employees connect to the corporate network, then “knowing your assets” in a corporate environment becomes even more of a challenge.

Businesses need to know that information, though, before they develop and implement a security plan: what assets they have, where the assets are located, and which ones need the most protection. Once you know what these high-priority assets are, then you can implement appropriate security controls to protect and monitor them. Doing so will ensure that if an asset is breached, attacked or compromised, you will be able to detect this and respond immediately.

Unfortunately, in the vast majority of cases, organizations lack the visibility and threat detection infrastructure to realize they've been breached until many months after the fact. Taking steps now to identify, secure and monitor your high-value assets can help ensure you don’t end up in a similar situation.

2. Implement behavioral monitoring

Behavioral monitoring is based on an understanding of what constitutes normal or acceptable behavior. IT personnel can observe certain aspects of their infrastructure to gain insight into the kinds of activity that is considered “normal” to determine a baseline for employee behavior. If a regular routine is established to monitor activity and analyze patterns, then anomalies that deviate from the norm can be flagged as potential issues and investigated accordingly.

+ Also on Network World: Keeping up with incident response +

For example, service monitoring provides visibility into service uptime, and any unexpected outages can be identified quickly if downtime is not an expected behavior. Similarly, netflow analysis can provide high-level trends related to which protocols are being used, which hosts are using the protocols, and average bandwidth usage. Any major deviations from the norm can indicate malicious activity.

The real value in behavioral monitoring is that if a baseline is established, then a person does not need to be intimately familiar with the underlying technology to recognize anomalies. For example, if traffic between two systems has been relatively stable but then suddenly spikes, that is an immediate red flag to investigate—even if detailed information about the kinds of systems or the protocols used are unknown.

Therefore, implementing even basic behavioral monitoring capabilities can be extremely beneficial for identifying unknown threats, suspicious behavior and even policy violations.

3. Prioritize vulnerability scanning

Vulnerability scanning and management technologies and methodologies have evolved to support demand from customers who are looking to meet compliance and regulatory requirements. In simple terms, vulnerability scanning entails searching for vulnerabilities within an environment.

To better understand this concept, pretend we’re running a vulnerability scan on a house. The return results would probably look something like this: open bedroom window, unlocked bathroom window, weak garage door lock, unlocked inner door, open curtains/blinds, etc.

Vulnerability scans of a network might list hundreds, if not thousands, of vulnerabilities. For most organizations, addressing each and every one is not possible. So, the bigger question is which of the identified vulnerabilities merits attention and remediation?

Ultimately it boils down to having context around each vulnerability. For example, in the house analogy, you can assess the seriousness of an open window by considering whether it is located on the ground floor, where it is easy for someone to climb into the house, or on the 10th floor, where an attacker would have to rappel down from the rooftop to gain entry (making a breach much less likely). The first case would obviously indicate a situation that requires your immediate attention, while the second one could be overlooked.

External factors also play a big role in assessing the severity of vulnerabilities. For example, a weak garage door lock may not be a problem if you store nothing of value in it and live in an area with low crime rates. Conversely, the lock might become a higher priority issue if you live in a high-crime area and you park an expensive car in it.

Ultimately, addressing vulnerabilities is a lot like managing any other identified risk. And having access to additional information adds the context needed to make appropriate risk-based decisions.

Security Trifecta = Effectiveness and Agility

I think we can all agree that the big question we face is no longer how to prevent attacks, but how to be effective and agile when an incident occurs. If you can detect and respond to threats immediately, you can greatly minimize the damage done. And in a world where you assume a patient attacker will eventually find a way in, isn’t this the best situation you can hope for?

This article is published as part of the IDG Contributor Network. Want to Join?

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!