Blog Posts

‘D’ is for Detection: Why you Need Help

A common saying in cybersecurity is: You will be breached. We learn of new examples almost daily. Just last month, organizations in 65 countries, including pharmaceutical multinational Merck, Danish shipping conglomerate Maersk and law firm DLA Piper, were attacked by “Petya” ransomware that employed the same EternalBlue SMB software exploit that last month’s WannaCry ransomware used to infect 216,000 endpoints in over 150 countries.

Another saying, Prevention is ideal, but detection is a must, is the primary motivation behind MDR (Managed Detection and Response). I’m not saying prevention shouldn’t be a component of your overall security strategy, if only to eliminate or at least minimize the obvious junk that may pass through your network. But making prevention your sole focus is as foolhardy as trying to walk through a brick wall. Many people may claim they can do it, or but in the end, all that is left are smoke, mirrors and the preposterous hope that one day we will be able to beat physics.

Hence, detection. Unfortunately, it’s anything but a straightforward process. Malware can lurk for months at a time before inflicting damage, and most malware (70-90 percent as of 2015) is unique to a given organization, making signatures almost useless. Meanwhile, a sophisticated spear-phishing attempt can get past filters and fool even the savviest employees if they’re having an off day. And bad actors can tinker with tactics indefinitely until they find a way to break into your systems, yet you’re 100-percent responsible for defending against every single attempt. So, how do you make detection a success in your organization?

Putting Together a Puzzle

Before I give you any advice about why you need managed detection services, let me confess something. As a senior network security analyst, someone who spends most of her waking hours looking for anomalies in my clients’ networks, I find detection akin to solving a jigsaw puzzle that is missing 45 pieces and lacks an outline of the completed picture. My job is to overcome our visibility gaps, put together these puzzles and detect the threats to your network. And I have a lot of tools and tactics at my disposal. In establishing timelines and patterns, I leverage software, including a variety of forensics tools, to put the pieces together. I use automated beacon analysis to establish patterns in network traffic behavior. I use behavior analytics to determine the context of a certain user actions. And in keeping with UnitedLex’s commitment to being a partner to our clients, I rely on open communication with my clients, who let me know if, say, they fired an employee but didn’t immediately shut off his credentials.

Getting That Validation

Detection is a key reason for working with an MDR partner like UnitedLex. Unlike MSSPs, we provide dedicated IR experts to sniff out and “validate potential incidents, assemble the appropriate context, investigate as much as is feasible about the scope and severity given the information and tools available, and make recommendations, so the customer can quickly start containment and remediation activities,” as research firm Gartner writes in its 2017 Market Guide for Managed Detection and Response Services.

And once we detect threats, we help you respond to them as quickly as possible, before they wreak havoc on your systems and data. I’ll save that conversation for my next post.