Originally Posted: January 14, 2023
Let’s start with the bottom line – Security Detection and Response is about finding and stopping the threats which have managed to get past all other security technologies and controls. Sadly, this is happening with an ever-increasing frequency. Recent high-profile events have shown that perpetrators are still both regularly getting past traditional controls and inflicting severe business impact.
Given the situation, it’s worth noting that “Detection Engineering” is becoming thing in SecOps, along with metrics and Maturity Models.
With general staff and skill shortages, finding suitably skilled and experienced security analysts is becoming a very challenging situation for many organisations. Not only is finding suitably skilled people difficult, but also retaining them. In many environments, very manual and tedious processes achieve only limited productivity, effectiveness and lead to low job satisfaction and premature burnout of staff. Staffing challenges in this space have been identified by many orgainsations as a business risk. I can’t see this situation improving any time soon.
With the world heading into somewhat questionable economic times and cyber business risks only increasing, a high impact return MUST be achieved on any security technology investment. This is where I would suggest that latest-generation Detection systems can provide a very strong operational capability.
Security Analytics, in particular Network Detection and Response (NDR) has majorly advanced in the last few years thanks to Machine Learning and AI technology coupled with greatly increased hardware processing power. Today this technology can process vast amounts of data on high-speed networks and detect events that are simply impossible by humans utilising traditional approaches.
NDR technology can be deployed quickly by utilising a simple network tap at a suitable point (or points) in the network, Cloud or DC. It gets a deep insight -quickly, without the sometimes more complex rollout of other security technologies.
From a risk perspective, NDR is capable of detecting many threats not seen by traditional techniques such as IDS/IPS or their integrations in NGFWs. Malware-less attacks such as Living-off-the-Land and credential compromises are examples.
In other cases, NDR’s Behavioural Analysis can result in successful detections far earlier in the kill chain than were previously possible.
Network based detection sits outside the blast radius of the endpoints, servers, etc, meaning that it can’t be easily interfered with or disabled in the attack process. Let’s not forget the myriad of highly insecure IoT devices which are now prevalent on networks and can’t run EDR agents.
AI, ML and particularly Natural Language Processing (NLP) based techniques can automate many of the time consuming and repetitive tasks SecOps teams are facing. In fact, experience has shown reductions of 80-90% in the repetitive work. This tooling makes the Sec Ops team far more effective by allowing focus on the truly important.
An investment in Detecting and Responding to events early, with limited staffing provides a significant ROI. For example, catching that initial Ransomware infection, or the foothold of compromised IoT device. These are good news stories which can be reported as wins enhancing the image and morale of Sec Ops teams.
_