Organisations invest large amounts of money in cutting-edge security tools, but many tend to forget about one critical area: network visibility. If you’re unable to spot threats and attacks when they happen, it’s impossible to guard against the impact they can have.
Research undertaken by WatchGuard shows that, while 97 per cent of organisations maintain logs of security events, only 44 per cent of them actually review those logs with any regular frequency. Disturbingly, only 14 per cent are confident that they can spot an attack if one occurs.
The research found that, in 2013, the average time taken to detect a security breach was 80 days. In 2014, this had increased to six months and by 2015 it had increased further to 8.5 months.
Worryingly, in 67 per cent of the cases where a breach was detected, the organisation concerned the detection had been done by a third party and in 16 per cent of cases this was a law enforcement agency. Of all the breaches reported, only 1 per cent had been found as a result of internal processes.
The common problem in many cases is one of network visibility. Many organisations are simply unaware of the breaches that are occurring and the impact they have had - or will have - on operations.
One example was the attack against US retailer Target in 2013 which eventually led to the resignation of both the chief executive and chief information officers. In that case the cyber breach had happened a month before it was discovered.
In other examples, the high-profile breach experienced by Sony Pictures occurred a full 12 months before the issue became public while an attack against the US Office of Personnel Management was detected only 1.3 years after it had happened.
While every internet user is a potential victim when it comes to cyber attacks, criminals tend to focus their efforts on four key sectors.
Educational institutions are popular targets because of the large number of connected devices on their networks. Internet access is essential for students and staff but it also creates many opportunities for attack.
Healthcare organisations are attractive because of the critical systems on which they rely and the confidential nature of the data stored on their servers. For these organisations, rapid detection of threats is critical to ensure proper levels of patient care.
The hospitality and retail sectors are also high on attacker priority lists. They offer the prospect of harvesting credit card details and obtaining personal records through loyalty and points schemes.
Four biggest blind spots
Across all sectors, there are four key areas which have become the biggest blind spots when it comes to identifying security breaches. They are:
1. Network activity - Whether you are a small business or a large company, it can be challenging to effectively monitor all user activity and determine whether in fact a breach has occurred. This requires visibility into all inbound and outbound traffic at all times. Once a baseline of normal activity is determined, abnormal events are then much easier to spot.
2. Connected devices – It can be challenging to know exactly what is being connected to a corporate network and whether those devices are compromising security. Organisations need to have an up-to-date map of all connected devices and ensure things like printers are running the latest drivers and security updates.
3. Mobile devices – These must also be constantly monitored to ensure they can’t introduce threats into the network when connected. Some may be personal devices used at home or on public networks by staff who then bring them to work. Any infections that have occurred outside the organisation’s network must be detected as soon as they appear.
4. Botnets – Some organisations can find large numbers of computers within their infrastructures have become part of a botnet. This could occur when one staff member downloads an infected file, which then spreads code to other machines. Monitoring needs to be in place so that, if such code appears within systems, it can quickly be removed.
The benefits of better visibility
Better visibility of potential and actual security threats is of significant benefit to any organisation. Senior managers can be sure that the risk of disruption or loss can be minimised while staff can be confident their activities are unlikely to cause harm to their employer.
Compliance officers can feel reassured that attacks will be unlikely to cause any losses that may affect their organisation’s legal and regulatory obligations. Should threats appear, they will be quickly identified and remediated.
To achieve improved visibility, organisations should put in place the tools needed to discover all devices on their network, filter all content and detect intrusions. By removing network blind spots, they will be in a much better position to ensure effective security of their digital assets.