In our previous blog post, we spoke about the industry trend to move beyond prevention to an adaptive approach to security that integrates detection and response. But why is prevention not enough, and what should you look for when you make the switch?
Threats are more sophisticated than ever before
Cyber attacks are growing in quantity, complexity, and sophistication. Threats lurk throughout your organization. Traditionally experts have promoted a layered approach to security based on point solutions that address separate attack vectors and vulnerabilities in the IT infrastructure. Still attackers have been getting in through the cracks, triggering tens, hundreds or even thousands of alerts each day that must be reviewed. Human analysts are left to piece together massive amounts of information in order to detect the breaches that the prevention systems failed to block. There just isn’t the man-power or in many cases, the expertise, to do this and many alerts are never even investigated.
Today it’s clear that while important, prevention just isn’t enough. As threats evolve, so must the solutions we use to defeat them. Organizations require a new approach for cyber defense: a multi-dimensional, integrated approach that reveals the complete threat storyline and accelerates response.
Detection and response technology—how do you decide its right for you?
Experts are increasingly aware that only an adaptive and cohesive approach can adequately defend against complex attacks. Detection and response solutions are rapidly becoming a standard of organization’s security, whether in house or via a managed security service provider (MSSP). But there are many products out there. How do you choose which one is right for your organization’s needs?
A good detection and response system should be fully integrated and able to use multiple forms of information for the most thorough threat assessment and the best chance of locating and countering an attack. The technology must also be clear and easy to use for analysts at all skill levels. And the best solution will use automated investigation to accelerate the path from detection to response and positively impact productivity.
Automated investigation – what does it mean?
Automated investigation is the evolution from an alert-driven approach to an intelligence-driven approach to cyber security. To get a complete picture of a breach as it unfolds, the detection and response solution must leverage a set of integrated detection and forensics sensors. It should automatically investigate every single lead, continuously evaluating all of the available data, finding the connections, and building and updating incident storylines, and prioritizing the threats it detects.
Like a team of human analysts, automated investigation works around the clock to develop visual, fully-documented incidents rather than long lists of alerts, as well as a clear remediation plan that even the most junior analyst can understand.
The prevention technologies that used to keep us safe are no longer adequate. As the stakes get higher, hackers will always find a way around them. But once attackers are on our networks, there is no way to completely hide their tracks. If we know what signs to look for, and are vigilant in the search, we can keep up. That is why Gartner predicts that by 2020, 60% of enterprise information security budgets will be allocated to rapid detection and response. Given the shortage of skilled analysts and the increasing amount of noise, only automated investigation can provide the 24/7 coverage and the clear incident storylines that enable over-stretched teams to do more with less. It is the key to a successful man-machine alliance in the war against cyber-attacks.
For a complete view of what to look for in an effective defense and response solution, read our Buyer’s Guide post or watch our free, on demand webinar where Gartner’s VP Distinguished Analyst, Neil MacDonald helps to look at what it takes to implement effective detection and response and how to make it work for your organization.