Why Indian firms need to embrace the ‘Detection and Response’ approach sooner

Leaving risk undressed can have dire consequences, as technology is now the foundation of the business, any disruption in the technology also disrupts the business.

cyber security lock padlock firewall code breach password
Getty Images

With Indian enterprises becoming increasingly reliant on digital transformation to grow and offer newer experiences to their customers, it has become incumbent on CIOs and CTOs to place big technology bets for the future of their businesses. As these ‘digital transformation’ initiatives get executed, organizations are inherently increasing their attack surface and ultimately their business risk. Leaving this risk undressed can have dire consequences, as technology is now the foundation of the business, any disruption in the technology also disrupts the business.

Take a look at any of the headline-making breaches where this business disruption from unaddressed cyber risk has occurred in the past. Drill past the news headlines and into the details of the breach and they almost all have this same notable thing in common – the threat actor was in the victim network unnoticed for months or sometimes even years before being discovered.

At FireEye we call this duration “Dwell Time”, or the time between when the intruder has entered the network and the time that the intruder is discovered. Dwell Time is the central metric that we highlight and share annually in our M-Trends Report. The Dwell time for the Asia Pacific region is worse than any other region in the world. The measured average in the APAC region for 2018 was 204 days taken to discover that a prevention failure occurred and that there was a remote attack who had infiltrated the victim network. However, it's a notable improvement from the 2017 Dwell Time which was 520 days. So while things are improving, seven months is still far too long to have an intruder go unnoticed in any network.

Given organizations do such a poor job of detecting these prevention failures, we should ask the question, "How can we address this Dwell Time problem?” Historically many organizations answered with, "Lets add more layers of prevention to address the root cause." While prevention is important, adding additional layers didn't do much to slow the rate of successful breaches or address the Dwell Time problem. Only recently have organizations been answering the question differently by saying "Let's acknowledge that no prevention stack is perfect, and that breaches are inevitable. Let's have an additional capability to detect prevention failures more quickly so we can respond to them before any damage can be done." The industry calls this approach "detection and response" and there is wide endorsement of it. Advocates of Detection and Response include market analysts, technical experts, as well as Military Leaders.

If you could shorten the Dwell Time and catch an intruder soon after they enter the network, would it help? Many organizations believe so and have had their SOC's shift from counting malware to measure ‘time to detect’ and ‘time to respond" as focus metrics. Remember that most breaches today, 91 percent by some estimates, start with email. When an email attack is successful the system which is initially compromised is a desktop or laptop system being used to read email that is not likely to have a lot of important data on it. It's up to the attacker to start from this initially compromised system to understand the landscape of the internal network, find the important servers, find ways to access them, move laterally to them, extract and exfiltrate data, and do it all without being noticed. 

Take for example one of India's largest financial heists which occurred last year. It was reported that the attacker:

- stole 78.5 crore withdrawn from 12,000 ATMs in 28 countries

- stole 2.5 crore using RuPay cards

- stole 13 crore transferred to a Hong Kong-based trading firm

- had failed in their first attempt into the international money transfer system which had gone unnoticed

- impersonated the bank using a proxy

How long after breaking into the banks network did it take for the attackers to learn the bank's systems and processes, get access to and take control of multiple payment systems and create and deploy bypassing proxy infrastructure which allowed the attack to be successful?

Significant efforts are underway to catalog all of the different ways attackers achieve all of these stages of attack. One excellent example of such a framework is MITRE ATT&CK. Detection and Response focuses on the post exploitation stages of these frameworks, which are the stages of attack after the threat actor has achieved "Initial Compromise", or the stages after you've had a prevention failure. Offerings have come to market such as endpoint detection and response (EDR) and managed detection and response (MDR) to help organizations notice and respond to prevention failures more quickly. MDR services are particularly important because detection and response efforts requires investigation, and investigations requires skilled expertise, technology alone is not sufficient to drive an effective detection and response outcome. Facing a talent gap and skills shortage many organizations who see the importance of detection and response choose to outsource the capability to an MDR provider rather than try to build out the capability in house.

This is not to say that detection and response replaces Prevention. Simply put, both are needed. As FireEye CEO Kevin Mandia says, "Deliver the outcome that if you do get compromised, we eliminate the impact … and that is actually possible operationally." Some intrusions can be prevented. Most intrusions can be prevented if the prevention is strong enough, but to prevent all is just not possible. When prevention efforts fail, be ready to detect the threat and respond to it quickly before any business impact can occur with detection and response capabilities.

Steve Ledzian is the chief technology officer for APAC at FireEye.

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!