The modern IT organization is well aware that compromises (in the form of both external attacks and insider threats) are more an issue of when than if. You’ve put up some defensive security solutions – AV, endpoint protection, email scanning, etc. – all in an effort to minimize the threat potential.
But, beyond that, what else are you doing?
You might be thinking that putting solutions in place is the strategy, but if you agree with the “when not if” premise, then you already know your security strategy is incomplete and requires more proactive monitoring of the environment.
The Lure of Simply Waiting
While certainly not effective, it’s not uncommon – many IT organizations focus on establishing “best-effort” protection and hope the solutions will do what they claim. It’s a much easier route to take than the alternative, which includes watching over the myriad of potential attack vectors by which attackers enter in, compromise your systems, and move laterally within the network.
It seems a bit overwhelming – like asking someone to sit in the security office of Disney World, with 100 screens in front of them, tasking them with watching all the patrons, looking for pickpockets. With so much visual information coming in, it’s an impossible task.
It’s the same thing when it comes to compromises on your network – there’s so much business-related activity going on, how are you even supposed to spot a bad guy?
And, so you simply choose to wait for an alert, rather than watch proactively for a compromise.
The Reality of Waiting
While most security solutions do a great job at what they do, attackers today are aware of the solutions in use and work tirelessly to find ways to avoid detection – from evasive malware, to the use of employee credentials as part of an attack. In fact, data breaches involved the misuse of credentials usually take months or years to be detected [1].
So, if your strategy is to simply wait for a compromise, you might be waiting a long time just to find out months or years after the compromise that it occurred. That’s what’s known in IT as a “resume-generating event.”
What you need to be doing is actively watching for the compromise.
[1] Verizon, Data Breach Investigations Report (2017)
Watching not Waiting
There’s no excuse to not be watching for compromise, as there are a number of very simple ways you can get started immediately:
- Leverage Solution Alerting – Nearly all your security solutions have some form of auditing and alerting. If you don’t have this configured, it’s your easiest line of defense to get running.
- Don’t Forget Native Auditing – Windows and many enterprise applications come with some form of security auditing.
- Centralize data and alerting using a SIEM – Many security solutions can push data into a security information event management (SIEM) solution. Here you can corroborate activities from various sources to provide context that may indicate a compromise. If a SIEM is out of your budget, many low-cost event log management solutions exist that can at least help centralize the data and alerting.
The challenge becomes that overwhelming amount of data (like the aforementioned Disney example) and deciding what indicators to look for. You need to find ways to focus your view of the massive amounts of activity data so that you can easily and quickly spot leading indicators of compromise. This can be accomplished by defining exactly which activity your organization considers suspect.
The important part here is to start somewhere. Remember, waiting is not a security strategy.
Not sure what indicators you should be looking for? Download the Whitepaper, Key Indicators of Compromise and get details on specific indicators that will help you spot compromises in your network.
