Unauthorized access: What are the hidden costs of detect and react
Manage risk by shifting "detect and react" to a role that ensures preventative measures are working.
Published August 23, 2017It's a failing proposition. IT spends so much of its time trying to monitor every last bit of the network, looking for anything that looks out of place. And, should a red flag be raised (presumably by some massive SIEM solution somewhere...), an "incident response plan" is kicked into gear.
Think about it. The focus is always "put your security in place, keeping a watchful eye on it, and respond when something happens."
It's a pretty costly mode of operation. It requires significant IT time and resources to put proper detection mechanisms in place, and will likely raise an initial set of false positives that need to be fine-tuned. This, in turn, creates the need for reports and meetings to ensure the detection is working.
Why not simply better understand the problem at hand and work to prevent it from happening in the first place?
Take initial access to your network — the logon itself, to be more specific. If the organization is concerned that users may be sharing passwords, or that an external attacker may one day compromise a user's credentials, they may choose to leverage logon audit data provided by Windows. It's a viable source of information, providing the audit detail from each endpoint is centralized. You'd need a SIM or SIEM solution in place to analyze the log data looking for anomalies like the same user logging onto several machines within a few minutes, or a user logging on after hours, along with some sort of pre-configured notification email. But, even with all this in place, it still takes time for the audit date to catch up, and for notifications to be received — all the while, the user has already logged on.
So, your reaction? It's a tad bit late. And in cases of a data breach or an external attacker compromising an endpoint with malware, the cost of your "detect and react" plan may be much more than just IT's time.
Instead, because you know which accounts have access to sensitive data, and what systems they should be logged onto, by having a solution in place that enforces logon restrictions (times of day, which machines, how many concurrent logons, etc.) to prevent inappropriate use of credentials (whether by an insider or external threat), you shift IT's model from one of "detect and react" to a focus on "prevention."
Those concurrent logons or that after-hours access that were an issue a moment ago? With preventative solutions in place, they'll never happen. No notifications. No reacting at 2 a.m.
Now, having preached prevention for the last few minutes, it should be said that even the best prevention strategy needs to be validated over time, so "detect and react" does have its place.
The difference is that prevention should be the primary focus, with "detect and react" following, rather than the other way around.
By placing efforts firmly around preventative solutions and strategies, IT proactively lowers the cost of managing risk, strengthens the organization's security stance, and shifts "detect and react" to a role of ensuring preventative measures are working.