Detect and Response; the executive's guide to modern IT security

Even though the number is slowly declining, it’s incredible to think that the average time it takes a company to identify the presence of cyber criminals in their network is still more than 200 days, according to IBM. It takes a further 70 days on average to deal with the consequences, they say. In that time a lot of damage can be done, such as the theft of critical company data or a cyber-criminal gang’s preparations for a ransomware attack See our article on don't pay the ransom.

Many of the companies who were breached would have had firewalls; they’d have used anti-virus (some even anti-malware) software; they may have trained their staff on security basics; many will have used cloud services, assuming they were secure. So, if that’s the case, why were attackers successful?

If you run a legitimate operation, you’re perpetually caught in an arms race with the cyber-criminal community. And the balance is tipped in their favour: they need to be right just once to get into your network, whereas you need to be right every time to stop them.

Effective security requires constant attention. But it also needs a system; a framework around which you can ensure you’re doing everything reasonably possible to prevent damage to your business. This gives you the best chance you’ll be right each time, tipping the balance back in your favour – or at least getting closer to evening the odds.

NIST Cyber Security Framework

The best ideas are often the simplest ones. Published in 2014 and originally intended for US Critical Infrastructure such as electricity, oil, transport, the NIST (US National Institute of Standards and Technology) Cyber Security Framework (CSF) has since become a globally recognised and adopted. The key to its success is the breadth of coverage and the simplicity of the concept, even if ultimately there’s a lot of detail that sits behind it. It’s broken down into five key functions – Identify, Protect, Detect, Respond and Recover. In headline terms:

• Identify – Could be a cyber maturity assessment or a pentest to establish what you have (or need) and what needs attention.
• Protect – Firewalls, AV, awareness training, multi-factor authentication, secure web browsing and many, many, more tools.
• Detect – Is there anything suspicious going on in my environment? If so, investigate it.
• Respond – We’ve found something suspicious and are trying to stop it.
• Recover – We’ve suffered an incident; we need to recover the data and the system.

In this article we’re going to focus our attention on Detect and Response – what it means, who’s it for, to demystify the subject and help you to decide whether it’s right for you.

Detect and Response – How to halt an attack in progress

How do you catch and contain the breach before it causes any damage? To have any real chance of doing this, businesses need the right tools and people who have an offensive security mindset, i.e. they think like a hacker so they can utilise these tools to detect suspicious activity and can help manage incidents and crisis situations should they occur.

Companies with the financial and personnel resources to do this right set up security operations centres (SOC) to monitor and respond to cyber threat 24 x 7. However, for most small to medium businesses, even small enterprises, this is cost prohibitive.

Thankfully, there is a significant and growing market of technology and associated services which incorporate some of what a traditional SOC can do, and in some cases more, for a lot less than the set up and running costs of your own security operation’s function.

What are all these acronyms?

Endpoint Detection and Response (EDR); Managed Detection and Response (MDR), and eXtended Detection and Response (XDR) are all cybersecurity solutions and services aimed at detecting and responding to threats.

While the security industry hasn’t agreed definitions, in general terms each is monitors activities on systems in real-time, looking for suspicious behaviour or indicators of compromise (IOCs), i.e. evidence that an intruder has gained entry. They typically include capabilities for threat detection, investigation, and response. In some cases, these are automated.

• EDR’s primarily focus is endpoints, such as desktops, laptops, servers, and mobile devices. It is commonly used for threat detection and response within an organisation's network, especially for detecting advanced threats like malware, ransomware, and insider attacks.
• MDR is sourced from a third-party provider. You’re buying into a service that provides the tools, experts and processes involved in threat detection, analysis, and response. They typically go beyond just endpoint monitoring and extend to other areas of an organisation's IT infrastructure, including networks and cloud environments.
• XDR is more broadly a platform approach using a common set of security technology tools that tightly integrate and correlate data across different security layers, including endpoints, networks, email, and cloud environments. XDR provides a more comprehensive view of the entire IT environment, allowing for better detection and response to sophisticated threats that may span multiple vectors.

What to consider?

Determining whether your business needs Detection and Response involves assessing your organisation's cybersecurity needs, capabilities, and risk tolerance.

Understanding what best suits your business will require some expertise, especially if you haven’t acquired these services in the past. Here are some key considerations:

• Industry Regulations: If your business operates in an industry with stringent regulatory requirements (e.g., healthcare, finance), EDR/MDR/XDR can help you comply with security standards and regulations.
• Data Sensitivity: If your organisation handles sensitive customer data, intellectual property, or proprietary information, the need for advanced threat detection and response capabilities increases.
• In-House Capabilities: Evaluate your internal cybersecurity capabilities. If your organisation lacks dedicated cybersecurity personnel, expertise, or tools for advanced threat detection and response, MDR can fill this gap.
• Incident Response Plan: Your business may lack a comprehensive incident response plan or may struggle with timely and effective incident response. MDR services can enhance your readiness.
• Organisational Complexity: Businesses and organisations with complex IT infrastructure will benefit from detect and response technologies and services. Many may have a plethora of security tools already, but that is no guarantee of a secure environment if your staff don’t have time to look at them, aren’t correlating their outputs and don’t have the right training and mindset. MDR can consolidate this effort and provide continuous monitoring and detection across a wide range of systems and networks, using specialist resources skilled at identifying the wheat from the chaff.
• International Presence: detect and response can help address security challenges associated with distributed operations and diverse threat landscapes.
• Previous Security Incidents: If your organisation has experienced security incidents or breaches in the past, it may indicate a lack of resources focused on the problem. It may also show an absence of the right tools for the job. MDR can plug both these gaps, providing proactive monitoring and response to prevent future incidents.
• Budget Constraints: MDR services can be a scalable and predictable cost option, allowing companies to benefit from advanced threat detection without the upfront costs associated with building an in-house Security Operations Centre (SOC).
• Proactive Security Approach: Good MDR adopts a proactive rather than reactive approach to cybersecurity. MDR services can play a crucial role in identifying and mitigating threats before they escalate.
• Third-Party Requirements: If your customers or business partners require evidence of robust cybersecurity measures, having EDR/MDR/XDR in place can demonstrate your commitment to security.

Incident response planning

You should plan, prepare and conduct tests for cyber-attacks and incidents in the same way you do fire drills, only they’ll likely be a lot more involved and collaborative than safely exiting a building, gathering in a car park and doing a register.

It starts with a good plan, involving multiple stakeholders. Once you have one, tabletop simulations can be a good way of testing them.

What if you have been breached

A breach has occurred, and you need to contain it. Incident response is the structured process of addressing and managing the immediate aftermath of a cybersecurity incident, with the goal of limiting damage and reducing recovery time and costs.

You may have MDR in place. In which case Incident Response would be a bolt-on service typically. If you don’t have MDR then, then an incident response retainer might be your only hope of resurrecting the business following a breach. See our article on cyber insurance