Threat detection has become even more critical as cybercriminals capitalize on the pandemic. According to a recent Microsoft report, malevolent actors have become much more sophisticated over the past twelve months, making them more challenging to spot. Defending against cybercrime is an ongoing and evolving challenge. Cybercriminals are well-resourced, organized and increasingly sophisticated when it comes to innovating threats.
Around 53% of breaches are the result of malicious attacks, followed by 23% human error and 25% system glitches, according to the Ponemon Institute. Of these malicious attacks, the most common methods of compromise are stolen credentials, third-party software vulnerability, phishing scams, and misconfigured cloud servers. The latter increases the average cost of a breach by more than half a million dollars to $4.41 million.
Understanding our enemy
Threat detection actively searches for malicious activity that could compromise the network. There are several ways of detecting internal and external threats. External threats refer to malicious actors attempting to exploit system vulnerabilities from outside the enterprise. However, internal threats, which include employees or their compromised devices, are seeing the most growth.
Forrester Research expects a third of breaches to be internal in 2021, up from a quarter in 2020. The growing use of cloud applications and remote working makes it extremely difficult to track internal sensitive data.
Different detection solutions
Different types of detection solutions all have their pluses and minuses. For example, log-based detection solutions have been proven to work well but depend on the quality and availability of the logs fed into them.
Endpoint detection is highly efficient in monitoring and collecting data from endpoints that indicate a threat from devices that have agents installed on them. These agents can monitor, detect and resolve threats across the network. However, endpoint security reaches only as far as endpoints on your network that have an agent installed, which leaves gaps. And network-based detection can detect threats across the network for all connected devices in real time. But it doesn't cover threat activities within endpoints themselves.
"All of these detection solutions are extremely useful, but to allow for really effective threat detection and response, enterprises need to build a detection framework that goes beyond identifying simple indicators of compromise (IoC)," explains Grant Paling, Service Area Owner for Detect and Respond at Orange Cyberdefense. This is where threat detection frameworks come into their own.
Threat detection frameworks
The "MITRE ATT&CK" framework is one of the most widely adopted threat detection frameworks, helping enterprises understand the lateral movements that cyber attackers make to move deeper into the network following their initial entry. "We see MITRE as a useful framework tool, but it is not the easiest to get started with," explains Paling.
MITRE ATT&CK comprises a comprehensive portfolio of tactics and techniques for security teams to better classify attacks and assess risks. The framework looks to enhance post-compromise detection of malevolent actors by looking at their actions to find out how they got into the network and are moving around. Enterprises can use this information to shore up defenses and spot any security gaps.
When building your strategy for threat detection, it is important to understand your business and where it is heading. The problem is that many managed detection and response providers have a short-term outlook when it comes to mapping a strategy. What is required is a more pragmatic approach to gain greater visibility and also understand your environment and its limitations.
The Orange Cyberdefense approach
To overcome these issues, Orange Cyberdefense has come up with a Threat Detection Framework that is easy to get started with and provides visualization and mapping dependencies based on security scores. It helps enterprises to map their current security posture and visualize where they need to get to.
The framework is explicitly modeled to each enterprise's environment. Orange uses the framework to work with customers to set target visibility across the critical phases of the kill chain and look at ways to help them achieve that. The kill chain is a series of steps that tracks the stages of a cyberattack. It helps security experts understand and fight against various attacks such as ransomware and advanced persistent threats (APT).
Mapping the importance of security
Orange has worked with many customers to help them adopt this approach. In one engagement, a mid-size bank was deploying security information and event management (SIEM). However, it had held back on deploying endpoint detection and response (EDR) enhancements designed to protect endpoints from potential threats. The IT team wanted to highlight to senior management the security issues that could arise by not making the EDR enhancements a business priority for rollout.
Using Orange Cyberdefense's Threat Detection Framework and log sources, Orange could visualize to senior management its current security posture and exactly how endpoint security would immediately strengthen its active defense capabilities. Its management team was able to see how the endpoint is one of the most critical detection points and immediately prioritized the EDR enhancements.
Cyber threat landscape continues to expand
Malevolent actors continue to evolve their tactics to become ever more sophisticated. As a result, enterprises need to up their game wherever they can.
A robust threat detection framework goes beyond mapping simple detection techniques to identify current capabilities and modeling future improvements strategically.
Do you need help with selecting the right managed detection and response solution? Try out our MDR Buyer's Guide.