Kudelski Security guide provides companies with orientation for more security
With regard to IT security, the situation in Germany remains dynamic and tense, according to a report by the Federal Office for Information Security.
Among other things, a total of around 117 million new malware variants were added in 2020. Particularly dominant and dangerous was, for example, the Trojan Sodinokibi of the hacker group REvil, which uses the malware for ransomware attacks. Companies are often the victim of targeted cyber attacks – especially during the COVID-19 pandemic. To protect yourself effectively against the dangers, you need a reliable strategy for threat detection and defense. However, according to a new report, 91 percent of all attacks do not trigger an alarm and 53 percent of security breaches go undetected.
“Many of the strategies that companies rely on in their threat detection and response do not work. That’s the bad news, ” explains Philippe Borloz, Vice President EMEA Sales at Kudelski Security . “But there is also good news, because probably many companies already have everything to improve and thus increase protection.“
The specialists at Kudelski Security explain which four hurdles stand in the way of better threat detection and defense and what the solution looks like.
Wrong approach to SIEM
Some companies are poorly positioned with regard to their own Security Information and Event Management (SIEM) solutions. Most organizations simply aggregate and analyze security monitoring data from all available sources in the organization. However, not all data is always relevant, which on the one hand leads to additional work for the IT teams and on the other hand makes threat detection and defense slower and more inefficient.
Standard configurations are not enough
Many standard logging configurations of IT solutions prove problematic because they do not meet the individual requirements of enterprise threat search. Instead, the guideline corresponds to the lowest common denominator. This means that the specific situation in the individual companies is not taken into account, which may result in an alarm being issued too late or not being issued at all.
Excess of safety systems
It sounds contradictory at first, but the use of a (too) large number of different devices, tools and applications for attack and threat detection is often detrimental to the efficiency of security monitoring. Most companies do not understand their threat model and are overwhelmed with the technologies that they then do not use effectively. Although more technology usually promises more security, it also leads to a large number of alarms that have to be sighted and evaluated or to valuable technology lying idle. The overview and thus the focus on the real dangers is quickly lost.
Lack of real prioritization
Often the dangers do not differ in their priority. But if everyone has the same priority, there is no order of precedence for them that can serve as an orientation in dealing with them. This complicates a targeted approach of the IT teams. You are faced with the challenge of taking care of all dangers directly and in parallel. Accordingly, the IT teams have to check a lot of data at the same time and are therefore potentially overwhelmed quickly.
Meeting the challenges
With the help of three logical steps, companies can overcome the aforementioned hurdles and raise their threat detection to a high level.
Bringing order to chaos
Among other things, it is advisable to create an individualized threat model for your own requirements for threat detection and defense. A threat model helps to prioritize threat search by allowing to develop a clear view of the threats, which allows a correct assessment and rapid elimination. To fully understand them, companies need to know who the potential attackers are, what their motivation is, and what tactics they are pursuing. In addition, they need information about how the respective attack takes place, what data is required for its successful detection and what tasks the people involved have.
Developing a detection strategy
The defined use cases form the basis for the creation of a threat model that takes into account possible attacker groups and their goals and helps companies to set priorities for the detection strategy. This then also makes it possible to carry out a prioritization for alarms. If the tactics of individual attackers and use cases overlap, it is worthwhile for companies to start right there. This allows you to refine your detection and prevent multiple hazards at the same time.
Use data wisely
For effective threat detection via SIEM, it is important to collect and analyze the right data at the right time. First of all, companies should have completed the other two steps beforehand, because then they know exactly what data they need. This allows organizations to understand which threats are greatest for a business and should be prioritized. Understanding attack tactics, techniques, and processes can prepare organizations for disruptive attacks. The findings also help to focus detection efforts on areas where they have the greatest impact, such as when multiple attackers use the same tactics. This gives companies a clear overview of the data sources and types that should be fed into their SIEM system. In short, it is not the quantity of data that is decisive for threat detection and prevention, but its quality.