As attacker sophistication increases over time, techniques are adapted to circumvent cyber defenses. This makes securing your network and server infrastructure a challenging task. Not all attacks can be prevented but having proper detection countermeasures deployed is vital to any security strategy.
A cyber attack can occur to anyone on the internet. If you are unable to prevent a breach from a motivated attacker, active monitoring of your infrastructure is a critical security control to reduce the likelihood that the attacker will not go undetected.
A key goal for any organization should be to reduce attacker dwell time. Dwell time is the amount of time a malicious actor can operate inside an organization before their presence is completely eliminated. The longer the dwell time, the more opportunity an attacker has to conduct malicious operations within the target network.
That being said, the average dwell time for cyber attacks is not in minutes or hours, but it currently stands at an incredible 197 days, according to the 2018 Ponemon study on the cost of a data breach. This statistic indicates that there is a general failure on the part of many organizations in detecting and containing breaches. The massive Starwood/Marriott data breach which was reported in late 2018 had a dwell time of more than 4 years. Employing proper active threat monitoring systems can give an organization a better chance at detecting an attacker that has penetrated the perimeter.
A periodic approach to security monitoring, such as performing weekly log reviews or monthly security scans is a useless control for detecting a malicious actor. An active approach using automated intrusion detection techniques which trigger an incident response investigation should be utilized instead. During our penetration testing, we frequently find that our targets don’t notice our presence even when we start to brute force their applications or systems. One of our goals during a penetration test is to determine if our target has the necessary detective controls to determine if they are under attack. In a recent penetration testing engagement, the target organization did not react to our exfiltration of data although it was detected and logged by their intrusion detection systems.
Active intrusion monitoring can give a vigilant security team a clear insight into what is happening in their infrastructure and allows them to discover and tackle breaches early.
If your organization has an internet presence and deals with personal data, conducts e-commerce, or processes financial transactions, your organization is a likely target for hackers. Automated and targeted attacks occur every second on the internet, and active intrusion monitoring systems can give cyber defenders a chance at detecting a malicious actor that breaches the perimeter.
Smaller organizations have this misconception that hackers won’t find them enticing. But the reality is that these smaller organizations that provide services to larger organizations that may process or store valuable data are incredibly enticing to a hacker since smaller organizations may have less mature security controls and can be used as a pivot point into the larger organization with the valuable data. A large percentage of attacks are targeted on small to medium-sized organizations because they pose the least resistance. Essentially, small businesses can be at more risk than the larger organizations that they provide services.
The complexity and frequency of cyber attacks are increasing and cybercriminals pounce on important user and company data through vulnerable access points. Without active and vigilant security monitoring, attacks will not be detected and contained early. No matter the size or budget of the company, investment on active security monitoring can greatly reduce the impact of an attack.