Cyber attacks are waged against organizations of all sizes and industries. It is more critical than ever that these organizations find ways to effectively detect and mitigate threats. For organizations looking to build out their threat detection capabilities and avoid disaster, here are 5 steps to effective threat detection:
- Know Your Network – It’s impossible to secure or monitor devices you don’t know exist. You should begin with an audit of the devices on your network, authorized and non-authorized. When individuals connect unauthorized devices, additional risks are introduced to your organization because you’re unable to know if these devices may already be infected or have unpatched vulnerabilities that will give attackers a means of ingress into your network. If you don’t know they are on your network, you can’t take steps to secure or isolate these devices. Nmap, for example, is a free tool you can use for this purpose. There are several commercial products as well.
- Monitor Your Network – The cornerstone to any threat detection program is monitoring. You need to collect log and event data from each device and correlate that data across multiple devices to look for patterns that may signal malicious activity. Typically, SIEM and log management solutions handle much of this data collection and correlation. You may also have next gen firewalls or IDS/IPS solutions that actively seek anomalous activity in the data passing through them and take active steps to mitigate that traffic. Monitoring can also involve regularly scanning your devices for vulnerabilities which can show software that may be exploited or systems that are not securely configured. Similarly, patching solutions can determine which devices have out of date software, for which updates should be installed, and help to deploy those patches as needed.
- Have a Plan and a Process – Simply having these technologies alone, however, is not enough to effectively detect and respond to threats. You must have a well thought out process in place for how to systematically perform these activities and how you will address the issues you find. If you find a vulnerable piece of software during a scan, who will research to find the fix for that vulnerability, who will test and then apply the fix, and then verify that the fix solved the issue? If a series of failed login attempts followed by successful login from an unknown IP is discovered, how will you investigate and determine a course of action to ensure your data is secure? Having a solid plan in place is a vital step in effective threat detection, because detection alone without a response plan is not effective.
- Automate as Much as Possible – Manually reviewing log files is overwhelming and ineffective. It’s too easy to pass over individual event logs that when seen in context would signal a security incident. Automation ensures that human errors are reduced and that you are keeping a consistent process in place over time.
- Get the Team You Need – Managing a threat detection program requires a high human component. You need a team of security experts who are well trained using the tools, who can staff 24x7 monitoring of alerts from your technologies and can quickly identify the cause and proposed solution for identified incidents. For many organizations, it can be very difficult to find and retain enough qualified security staff to make this possible. For these organizations, Managed Detection and Response services can be a great option.
With services such as Cygilant’s SOCVue security as a service, our 24x7 Global SOC team acts as an extension of your team to manage the technology and alert you to any identified issues, along with remediation guidance. We can also provide compliance reporting needed to meet regulatory compliance. If you need help building an effective threat detection capability for your organization, request a demo today to see how Cygilant can help: