Companies are spending more than ever to protect their digital assets. Gartner predicts that worldwide spending on information security and risk management products and services will hit $188.3 billion in 2023 — and is projected to reach $260 billion by 2026.
Yet, cybersecurity incidents continue to grow. The global cost of cybercrime is increasing by 15% year-over-year and is expected to reach $10.5 trillion by 2025. Last year alone, 4,100 publicly disclosed breaches occurred, exposing 22 billion records and data from tens of millions of people.
Simply spending more on security is not enough to stop attacks. This article will explore why accelerating your detection and response capabilities is the key to stopping incidents before they cause harm.
Asymmetry in cybersecurity
Cyber security fundamentally is an asymmetric problem where the defense needs manifold resources compared to an attacker. It’s a common adage that while the defender has to protect thousands of weaknesses, an attacker needs to find just one and exploit it. To solve this problem, the dominant paradigm from the last decade was layered security, where more and more security products were installed to create a “defense-in-depth” framework. While that paradigm still holds good for prevention, it has diminishing returns beyond a point. It leaves internal networks open to exploitation once a criminal penetrates the perimeter.
And these breaches will happen. Over the last few years, the industry has accepted that it is impossible to prevent every incident, shifting its focus away from prevention and onto detection and response capabilities. Hence—the new paradigm now—accepts that breaches will happen and invest in detecting and responding to them.
State of detection and response
Modern attacks are sophisticated and long-drawn. Advanced attackers enter a network using one vector and then navigate it for months until they reach their objective. The industry average for detecting these breaches is around 207 days. And even when an attack is detected, the response takes weeks or months to contain and eradicate.
Looking at the data further, the average time to detect a breach is 207 days, and the average time to respond to a breach is 70 days, which means most organizations take 277 days — or about nine months — to end an incident. Clearly, organizations are not detecting and responding to threats quickly enough, giving bad actors the time they need to cause significant harm.
Given this data, it stands to reason that accelerating detection and response will reduce the impact of an incident. If a bad actor could cause significant harm in a short period of time, they wouldn’t spend months building a foothold in their victim’s network and methodically spreading to and compromising as many assets as possible before they strike, or they are caught and forced to show their hand. By detecting and responding to these incidents faster, you will reduce the scope of an attack and the harm that it causes.
Speed as the new determinant of success
Organizations must shift their focus to faster detection and response. A breach in your IT security may not always mean financial or reputational losses, but if your IT security fails to detect and respond to a breach for a long time, you can be sure there will be consequences. Today’s cyber defense needs a manifold increase in the speed of operations. With enough speed, every breach will be insignificant. As part of this paradigm, the questions that management should ask are:
- How fast can we detect attacks?
- Is detection as fast as the attacks?
- How fast can we investigate, contain and eradicate attacks?
- Are our defenses as fast as the time attackers take to carry out their objectives?
While you may not like your initial answers to these questions, there are steps you can take — and capabilities you can develop — to accelerate your security.
Critical capabilities for fast cyber operations
Cyber security of the future will focus on investing in capabilities that increase the speed of security operations. Primarily, it involves three aspects:
- Building situational awareness: For the fast discovery of attacks, security operations need complete visibility into every asset, user activity, network traffic, system vulnerabilities, and network topography at all times. To do so, they must map the IT infrastructure/system across their entire organization.Today, such visibility is limited to a few critical assets and users, which severely impedes the discovery of attacks. With the rapid progress of big data technologies and reduced cost of storage, organizations can quickly move towards a strategy of collecting and storing all security data for complete situational awareness. Availability of such data then helps accelerate both the discovery of abnormalities and fast incident analysis. However, processing and taking action on this vast amount of data — without reducing the security team’s agility — creates its own challenges.
- Applying machine intelligence to augment human intelligence: Modern attacks bypass traditional rule-based security systems. Such attacks remain undiscovered for long periods until further malicious activity triggers a rule. Machine learning and data sciences methods are beneficial for fast and early discovery. These tools can discover abnormalities based on patterns, profiles, past incidents, and outliers. Today machine learning is getting used in every field of IT and business, and it is time to introduce them into security operations as well.
- Automating response function: Today, triaging, investigating, and containing an incident is still fairly manual. The containment actions in system reconfiguration, access changes, or reimaging are highly manual. If an alert is triggered, the security operation center manually collects data from systems and analyzes the incident. This significantly increases the response time. Process automation, programmatic response, and automated orchestration of security activities are the ways to make response as fast as the attacks.
Speed is king in security, and human experts can no longer act fast enough. The way forward for cyber security is to upgrade security operations to run so fast that the impact of breaches becomes immaterial. To do so, organizations must deploy the right AI-driven tools to detect complex attacks — across complex infrastructure — as quickly as possible.