The number of detected security incidents in Australia increased by 109% in the last 12 months according to PwC’s Global State of Information Security® Survey 2016. Compare this to the global increase of 38.5% and it’s easy to understand why, in April, the Government announced it will invest more than $230 million over the next four years to enhance Australia’s cyber security.
From TalkTalk to Ashley Madison to the Australian Bureau of Meteorology and the Australian Bureau of Statistics Census debacle, cyber-attacks on organisations continue to make front-page news. Whilst this may have increased the general public’s awareness of cyber threats, for those within the security industry it does not come as a big surprise.
Despite ramping up investment, many organisations are still vulnerable to attacks, namely due to a shortage of ‘human’ security resources. To fully maximise our security, we need to start adopting a double-layer defence strategy: technology and human. It is the people in our security teams that provide the intelligence needed to combat the human adversaries behind today’s orchestrated attacks. These less automated, more human-led attacks are one of the key reasons why organisations continue to be breached, despite having the latest detection and prevention technologies in place.
Flying Under the Radar
Many organisations operate a ‘Detect and Respond’ security posture. This strategy involves the investment in, and deployment of, security tools that can detect and block the latest threats. This is then coupled with processes that focus the security team on the high-priority events generated by these tools. This approach works well at stopping 90+ percent of threats that target organisations, but it won’t stop a determined human adversary.
People are innovative and good at finding ways around problems, especially if they are motivated (and there are plenty of motivations for bad actors). They will carry out reconnaissance and plan an attack campaign so that even when it is detected by the latest technologies, the events remain at a low priority and thus do not get any focus from our security teams. This allows the attack to slip under the radar and undetected, usually until the attacker nears their goal at which point, even if we do detect them, it is inevitably too late to come up with a comprehensive containment strategy.
The key issue here is that we are often solely reliant on our detection technologies ringing a big alarm bell to attract our attention, but these attacks don’t work like that. In many cases we have the data we need to identify these attacks much earlier in their lifecycle, we just need to enable our security teams to see these patterns of activity.
Seek and Contain
This is where the ‘Seek and Contain’ security posture can be much more effective. This still involves the deployment of detection and prevention technologies to deal with known threats – that is a given. The difference with the Seek and Contain approach is the shift of time and money investment towards more advanced, behavioural detection technologies and more forward-leaning security processes, such as hunting.
By adopting the Seek and Contain strategy and by having the right tools in place, existing security personnel can now be much more effective. They can work events more efficiently, identify patterns of activity that may represent risk - but may previously have been missed - focusing more of their time and energy in stopping the threats that really matter to the business.
They may eventuate online, but cyber-attacks always stem from people. We need to counter their innovation and attacks by maximising our security resources and adopting a double-layer defence system, combining the best technology with the best assets we have – our people.