Compared to many industries, cybersecurity operates in a highly adversarial environment, with organizations investing huge levels of time, money and resources into defeating a range of determined threat actors. If that weren’t enough, security teams are pitted against highly motivated, well-organized criminal and nation-state groups who constantly shift tactics to gain the upper hand.
The result is that security teams are frequently inundated with alerts, false positives and negatives, which nevertheless, they are compelled to address rather than being allowed to concentrate on proactively securing their networks.
These cybersecurity professionals increasingly operate in a never-ending loop of event-driven reactionary behaviors, with many experiencing significant levels of stress or even burnout as a result. Collectively, these challenges prevent security teams from taking steps that would ultimately provide today’s enterprise environments with better protection.
So, how can organizations and their cybersecurity teams refocus their efforts toward proactive protection to ensure risks, vulnerabilities and attacks are addressed head-on?
By creating a baseline of typical user behavior patterns, it becomes much more practical to spot anomalies quickly and prevent major damage to a company’s infrastructure and data. Over time, profiles for specific users can be created that include their everyday habits — from what machines they log on to, when and from where to the network resources they access and their usage patterns of other key resources such as cloud applications. The daily activities of a user can then be compared to these historical patterns, and any abrupt changes to either the pattern or the volume will immediately cause an alert.
Security teams can then set parameters for what typical daily network traffic looks like, providing crucial insight. This is particularly useful given everyday employees will undoubtedly be among the main targets for cybercriminals attempting to breach networks.
To deliver a proactive cybersecurity strategy as attacks increase in size, frequency, and sophistication, automating response has now become a ‘must-have’. For instance, if an organization continues to use time-consuming investigation and reporting procedures, monitoring baseline behaviors alone will remain ineffective.
Instead, organizations should implement incident response automation solutions that enable both rapid threat identification and implementation of countermeasures. In doing so, analysts can more effectively focus on proactive investigations, containment and mitigation actions, significantly increasing their productivity and impact — human brains for human problems.
In addition, automating the development of incident playbooks for regularly occurring security issues like malware, infections, or phishing scams makes it easier for teams to deliver repeatable resolutions and maximize SOC efficiency. Organizations can also adapt their security processes and countermeasures to keep pace with the changing threat landscape by looking into past breaches and discovering new types of malware.
One of the most important areas of focus when building a proactive approach to cybersecurity is the ability of any organization to adapt to new and evolving threats. This represents a major challenge: in its 2021 Digital Defence Report, Microsoft revealed it had stopped 31 billion identity attacks and 32 billion email threats as well as 9 billion endpoint threats on a daily basis.
To keep pace, security teams should use proactive threat hunting tactics such as indicators of attack (IoA), while also using global detection playbooks to identify advanced persistent threat (APT) groups and malware attacks. Security analysts will then be in a much better position to detect, isolate, and neutralize new malware and/or techniques as well as complex, sophisticated APT attacks that are not yet detectable by automated security tools. Building these capabilities also means they can take steps to prevent similar attacks in the future by combining industry-based hunting with situational awareness and data that informs their response to geopolitical issues.
Ultimately, organizations need to have strong cybersecurity frameworks in place that operate round-the-clock to identify, analyze, and flag any anomaly that could signal an impending attack. Delivering a truly proactive approach, however, means adopting a holistic method that blends effective monitoring and automation processes with the inherent agility required to keep abreast of new trends and techniques that emerge from adversaries.
In doing so, enterprises will find they are much better placed to monitor and respond to the inevitable cyberattacks that threaten to compromise their data and networks. Continuing to rely on a reactive security posture, in contrast, plays into the hands of sophisticated adversaries who now exploit security blindspots and strategic inertia as a matter of course.
Image credit: BeeBright/depositphotos.com
Matt Rider is VP of Security Engineering EMEA at Exabeam.