The Importance of Detect - Hackers Lurking in US Government Networks for Five Years
Recently the US government disclosed that foreign hackers had access to multiple systems for “at least five years.” A modern pillar of cybersecurity is that breaches are a question of when, not if. This has caused a fundamental shift of focus and budget from only focusing on preventing attacks to detecting and recovering from them quickly.
The average time an attacker has inside a network is eight days, which provides both the attacker plenty of time to scout and execute, but also for the defenders to catch and evict them. Some defenses will both prevent attacks, and help detect them when they occur, while others are focused on detection only. Key detection for every small business should include:
Multifactor authentication (MFA): this is primarily a preventative measure, but can also alert users that an attacker is targeting them. Unexpected MFA prompts often indicate a password has been leaked, or an attacker is in the system and accidentally triggered an MFA prompt. Any unexpected prompts should quickly be reported to IT.
24x7 managed detection and response (MDR) both for endpoints (computers and servers) and the cloud: an MDR service provides analysts at a desk for every minute of the year. Hackers do not clock out at 5pm with your IT team. Many of the biggest attacks take place in the middle of the night and over holiday breaks. An MDR service finds when at attacker gets in, and quickly stops them in their tracks. This can reduce a ransomware attack from weeks of damage to just a few hours.
Security information and event management (SIEM): Windows and other systems have very limited logging storage built in, many companies are lucky if they retain more than 24 hours worth of data. A SIEM is constantly vacuuming up a copy of logs and storing them in a searchable system, usually for a year or longer. Automation can be used to correlate suspicious events, or they can be manually searched by a security analyst.
Remember - everyone is a target, and everyone will be the victim of a breach at some point. Prevent the majority of attacks, but have a plan to detect the successful ones. Next we will be reviewing the importance of Response and Recovery.