The need for speed: Why faster threat detection is imperative for today's enterprise
Cyberattacks are happening more frequently and with greater sophistication. As a result, rapid threat detection and response is critical to finding threat actors and minimizing their impact on the enterprise. This task is easier said than done. Information security teams are understaffed and the digital infrastructures they must protect continue to increase in complexity. Time is also of the essence.
Every passing second dangerously prolongs a threat actor’s presence within the network, creating additional backdoors, pilfering critical data and assets, and increasing their chances of absconding with the crown jewels. In those especially urgent moments, when the security team is literally all hands-on deck, there isn’t time to run queries through a number of different tools and wait for results to come back. Security teams need real-time insights they can act upon quickly.
One of the best ways to gain those real-time insights is to bring the intelligence and analysis closer to the data.
In enterprise environments, security teams often collect massive amounts of data with the intention of analyzing it later. Some companies refer to this collection as a data lake. What they actually have is a data landfill! It’s filled with a lot of useless information that the team must sort through to try to find useful and usable nuggets. At this stage, it’s difficult for analysts to run a quick investigation, identify the root cause, and take action to mitigate.
Instead, enterprises should be extracting relevant insights -- including metadata from logs, endpoints and network packets -- as the data is being collected, and then organizing and analyzing it. This step dramatically reduces the time needed to respond to threats.
The next step is to take that information, and some of the other results that come out of that initial analysis, and put them in a centralized location where they can be accessed by other algorithmic techniques. Organizations tend to stumble here. They deploy different analytics and collection systems, and then realize that when they attempt to use them together, transporting this data between systems slows them down significantly. The approach becomes a bottleneck that prevents the team from responding quickly and effectively.
The key to avoiding this logjam is to take a platform-based approach. Extended detection and response (XDR) platforms give security teams the full visibility they need to react and respond to threats, since they provide the ability to analyze incidents across all capture points, including the user, endpoints, the edge, core systems and the cloud.
When teams are investigating incidents, it’s not just about collecting data from one capture point -- the team must be able to investigate all points seamlessly. For example, an analyst may see an alert from the endpoint, and then pivot quickly to see the network traffic that emanated from that endpoint, and then want to look at the recent activity of the user -- all to try to get a holistic picture of the incident. The team will never be able to quickly pivot from one point to another throughout the infrastructure if separate and distinct systems are being used to analyze this data.
A response approach rooted in XDR provides yet another benefit -- having complete visibility of available capture points reduces the chances that the team "underscopes" the attack and misses remnants of the incident that have been left behind. The result is that threat actors can return later to continue the attack. XDR platforms provide unique investigative capabilities that cut across all key control points and enable organizations to quickly react and reduce situations where threat actors remain in the environment.
People often conflate intrusions with breaches. An attacker’s ultimate goal is not to infiltrate an organization’s systems, but to exfiltrate its critical data. Security teams have a brief window of opportunity in which to act. In today’s world, with a rapidly expanding attack surface and exponential growth in threats, not every intrusion attempt can be prevented. However, by adopting a threat intelligence strategy centered around XDR technology, every breach can be stopped in its tracks.
Zulfikar Ramzan is Chief Technology and Product Officer, NetWitness