Do You Know When Your System Is Breached

Information security professionals are always chasing to catch up with the bad guys.

Traditional information security (or cybersecurity) is focused on preventing unauthorized access to your network, systems, applications, infrastructure and data.

But, as we all know only too well, the people trying to get in are exposing and exploiting vulnerabilities faster than we can plug the holes. 

Surveys of security professionals around the globe report that more than 80 percent of companies know they have been hacked. The roughly 15 percent who did not report being hacked probably don’t know -- they just haven’t detected it yet.

Knowing is Half the Battle

And that brings me to a point I first made a few years ago: while it is essential to do what you reasonably can to keep hackers out, you also need to be able to know -- as rapidly as possible -- when somebody has breached your defenses.

A new paper on Security Analytics: A Required Escalation in Cyber Defense expands on this point. The authors advocate for what they call “advanced security analytics”:

Advance knowledge of the reconnaissance phase, early probes of vulnerable systems, suspicious lateral movement, and attempted exfiltration, can give the cyber defense team the time they need to thwart the attack, and prepare for the follow on attacks.”

The way I understand the concept of security analytics, by monitoring traffic within your network you can detect patterns that may indicate intruders. You can then take action.

I am not going to advocate for any one solution, but suggest you and your management team answer this: How will you know when somebody has breached your system? Will you know fast enough to limit the damage to at least an acceptable level of damage or loss?

Identifying Risk Areas in Advance

Your information security team should also be sensitive to the potential of attacks before they occur. The latest in information security risk assessment solutions analyzes intrusion attempts to highlight areas of greater risk. Organizations can then marshal their forces to the area of the battlements where an attack is most likely to occur.

Until a year or so ago, the volume of intrusion attempts and data about them was so voluminous (truly big data) that these cyber risk solutions could only analyze a sample of intrusion attempts. In-memory technology has changed that, with the solutions now able to analyze 100 percent of the population and provide far more useful information about potential intrusion attempts.

For example, the software used to be able to identify IP addresses suspected as being the source of attacks. Now they can go deeper and identify other IP addresses that appear to be related to the first one, and monitor those addresses as well.

Let me close with questions for you:

  1. Do you believe your defenses provide reasonable assurance that intrusions will be prevented?
  2. Will you know, fast enough to respond and limit any damage, should the defenses be breached?
  3. Do you know enough about what is likely to hit you tomorrow?
  4. Is the cost of your information security program commensurate with the potential for loss and its impact on your ability to achieve organizational objectives?

I welcome your comments.

Title image by Paolo Bona /