Measuring the Detection and Response Gap
Despite efforts to stockpile the best technology and assemble an army of defenders, today's security organizations struggle with inefficiencies.
Threat actors are getting more efficient at compromising networks, taking only minutes or less to compromise systems. Organizations, meanwhile, are taking weeks (or longer) to discover breaches - and oftentimes they had to be notified by customers or law enforcement, not even their own security measures.
As you can see in the chart below, which is essentially a study of successful breaches, the defenders are not doing a great job despite their best efforts and a lot of investments. In fact, very little improvement has been seen over the last 10 years. Back in 2005, approximately 12% of breaches were discovered in days or less, and today that has increased marginally to just under 25%. However, the gap between the time to compromise and the time to discover an attack is getting wider. The detection deficit isn't closing. It's getting worse.
Given the heightened spotlight on security, the emergence of new technologies and products, and the rise in information security spending and budgets in the last decade, organizations must confront a difficult question - is all that new stuff actually making any difference or are the attackers just improving faster than we can?
It can be difficult, if not impossible, to improve your security operations if you are unable to measure performance, efficiency, and growth over time. Many organizations lack the structure or the means to achieve this and are left with little to no understanding of how efficient or helpful their efforts have been.
Why is that? And what can be done to change that? How can organizations gain visibility into their security teams' effectiveness?
Threat Management is Merciless and Messy
To understand this, we need to understand the big picture. Cyber threats take many forms - malware, phishing, authentication attacks, application attacks, ransomware - and they come at you fast, often simultaneously. Then there's your security personnel (SOC teams, incident response teams, threat intelligence teams, risk managers, etc.) all of whom are trying to deflect the threats. Sometimes they work well together, but as they frantically try to study, respond, and mitigate an onslaught of threats and attacks using different tools and controls, their efforts are often disconnected and lack coordination - this is what we call fragmentation.
Most breaches happen, not because a tool doesn't work or is inefficient, but because hackers find ways to penetrate your network in between the very tools and teams put in place to keep them out.
Despite efforts to stockpile the best technology that money can buy and assemble an army of defenders, today's security organizations struggle with inefficiencies. Deploying all those investments and human resources and making them work optimally, for the most part, isn't happening. We call it "death by inefficiency," and the data backs it up.
A 2015 survey by Dark Reading and InformationWeek found that the biggest challenge faced by security teams was not preventing data breaches from outside attackers or data theft by employees, but managing the complexity of security itself. In other words, dealing with the outcome of fragmentation is more difficult than managing threats.
What Can Be Done About it?
- Manage in One Place - Build processes to manage your security infrastructure from one central hub. Keep track of workflows and tasks.
- Eliminate Silos - Having one place to work together, whether you're a threat analyst, IR, security director, or CISO, is critical. Without it, teams are scattered, knowledge transfer is problematic, and processes and hand-offs between teams is limited (believe us, you don't want to be doing that stuff over email).
- Build and Share Knowledge Across Technologies - Strive for visibility across your security products. Automatically share IOCs to the relevant tool or system, right in one platform. You don't have to use a different system to set up a rule or enrich your data - everything you should be in one central place.
- Connect Intel Data and Feeds - Stop logging into multiple vendor portals. Aggregate information from different intel providers, data, and feeds and put it into one place.
- Automate - Automate parts of the cybersecurity process to establish a faster, more streamlined process for a quicker response and reduced detection deficit.
- Connect Threat Intel to Vulnerabilities, Controls, and Risk - Don't just focus on intelligence about threats. Determine if you are susceptible to it, if it specifically targeted at you, and then tie that knowledge into your risk management practice.
- Orchestration - Improve response times by taking automated, coordinated, adaptive action across technologies. Create customizable playbooks to increase efficiencies and speed up response efforts.
- Test and review periodically - As processes change, continually test and edit your workflows accordingly.
- In-platform Analytics - Analyzing data should not be an afterthought or secondary system to your security operations. Analytics are critical to informing strategic management decisions such as what security investments to make next or what risks may be in an acquisition target.
As I see it, measuring detection and response times tells you the end result but measuring how well you perform against the areas above can give you a clearer picture on whether or not you are on the path to closing the gap. I recommend organizations determine what metrics they can realistically collect "upstream" from detection and response - incident investigations, team collaboration, intel feed value, volume of menial tasks automated, and creation of intelligence. Any improvement or degradation in those metrics may tell you a meaningful story on why the detection-response gap isn't closing.
Using the ThreatConnect Platform and the best practices described here, your organization can seamlessly integrate all of your tools and examine the upstream activities needed to cut the detection deficit, then run seamless, intelligence-driven security teams, and provide a central place for all of your threat intelligence.