Last Updated on June 23, 2021
According to IBM Security’s 2020 Cost of a Data Breach Report, breaches caused by malicious attacks now take US organizations an average of 230 days to detect and an additional 85 days to finally contain. Every day that a breach goes undetected or unmitigated adds to potentially massive costs and risks. Why do detection and remediation take so long, and what can be done to accelerate the process?
To explore how automated and managed detection and response services can deliver improved security and compliance for SMBs, Chris Nyhuis, President and CEO of Vigilant, headlined a recent episode of The Virtual CISO Podcast. Hosting the show was John Verry, Pivot Point Security CISO and Managing Partner.
Security automation can’t detect novel attacks
In Chris’s extensive experience, increased security automation can be one of the factors contributing to increased attack detection times.
“It’s because of this idea that all these [security tools] are becoming more automatic, in a lot of cases, right? But threat actors are not fully automating their attacks. In most cases, when we go into organizations that had incidents, we’re seeing initial entrances to these organizations are manual. And they’re moving manually,” states Chris.
“These guys are smart,” adds John. “They know how you detect what they’re doing.”
“We call it ‘credit card security’—we actually trademarked that,” Chris replies. “If you can buy it with a credit card, so can a threat actor.”
How attackers stay one step ahead of security automation
“Security’s become so commoditized in today’s world,” continues Chris. “Every firewall you buy; every antivirus you buy; every piece of intel you can buy; all the best-practice documents that come out at the end of the year, where everyone goes, ‘Oh, let’s do that best practice list now…’ All those things are easily accessible to your threat.
“And what they do is they buy these things, they put them in their labs, and they write malware against it. They can literally log into it and see exactly what it can detect and what it can’t, and they tweak [the malware] just enough to where it no longer detects that attack. And then they go attack you, and they keep testing their attacks in their labs, all day long, until eventually it’s detectable.
“Because what happened? [The malware] went out, it was used for 315 days on average, and then some security researcher out there found it, tore it apart, reverse engineered it, created algorithms for it, uploaded it to the manufacturer, the manufacturer dumped it down to all the endpoints and all the firewalls, and guess what? [Those endpoints include] the ones that the threat actor has in their lab, and now they know what you’re doing.
The argument for MDR
“So when you say, ‘What can it detect, and what can’t it detect?’, in most cases—because these systems are not managed and curated for organizations—people (even MSPs) are installing firewalls or endpoints, and they’re just checking the boxes and it’s a default installation. So, it can’t detect much at that point,” emphasizes Chris.
“In most cases, if it’s a trending attack or trending alert, [the tool] is going to find it,” Chris clarifies. “But by the time they’re trending, or by the time you’re following best practices, you’re too late. Most things that are going to attack you, you’re not going to find, unless you’re doing deeper detection.”
Deeper detection means taking your tools off automatic and/or leveraging a third-party threat hunting service (e.g., managed detection and response) in your environment. MDR providers can monitor networks, analyze suspicious patterns, and respond to security alerts to reduce the time that novel attacks are active and undetected on your systems.
If you need to reduce cyber risk to your business and/or streamline compliance with CMMC, NIST 800-171 or other security guidelines, you need to watch this podcast show with Chris Nyhuis, CEO at Vigilant.