If you have been reading the recent news about cyber security, there is a new message in the market that is informing you to invest in detection, but not so much in protection. Although we always advocate that you need a good level Protect – Detect – and Response on all three areas, I still see a lot of our customers are fully unprotected. Why is this so?
In many ways, the level of your security depends on where you are and your Security Maturity Assessment. Based on the security level of the assessment, we can determine whether the customer needs to invest in protection.
Once we have seen that the protection level is ok, we can then move forward with detection and possibly discuss further technologies, such as (UEBA) User and Entity Behaviour Analytics.
User detection analytics today is based on input from devices showing that user behaviour can be recognized. Often when this happens, customers will either go straight to our compliance team or to our CDC.
However, as technology advances and the industry changes, I believe we will look into newer solutions such as Detect / CDC / SOC 2.0 for instance, and and find new products and services that can detect other things based on behaviour/ML (than analytics).
For example, when a user logs remotely with a standard username and password, there will be no alerts because it seems like there is nothing wrong. However, if he logs in and gets locked out from the system in a country he has never been before, then his behaviours can be detected. This situation means that someone could be not using his credentials correctly. In this case, a trigger to send an alert should happen.
To solve your Protection level, I recommend prioritizing these three main areas:
- Perimeter (Gateway to the Internet or Datacenter)
- Endpoint / user
If you have public services, you will have external people connected to your network. They will be on the DMZ. However, they will pass the perimeter, so that is why you need to check into this. If you don’t have public services, then the network and endpoint/user will be enough.
Depending on the type of industry you are in, the network will also be an area you want to consider. For example, if you work in healthcare, you might have a lot of third party devices that you don’t manage often. This situation is something that can easily go unnoticed because, in normal circumstances, you don’t need to consider this. However, the user will be able to pass the network because he is not part of the endpoint <>.
Endpoint / User
More people are using cloud applications where they can work remotely any place, anywhere such as from their homes. Because of this, it tells us that the user will not only be able to pass your perimeter and network, but they will go directly to your endpoint.
Therefore, it is important that you select a protection solution which is not dependent on tools/feeds of the local network. This can ensure that monitoring the behaviours (discussed in Perimeter and Network solution) are correct, and you will be able to send alerts when something goes wrong.
- Do an assessment to see how well your Security Maturity is.
- Based on the assessment, we will provide a score regarding People (user awareness, etc.) Processes (procedures, etc.) and Technology (solutions). The Cybersecurity Advisory Services can assist you with investment in appropriate solutions for: Awareness, Protect, Detect and Response based on the assessment.
- Look and invest into your Response process (it’s not all about Technology!) and tools.
- If the above is OK, invest in the new way of Detect (CDC / SOC 2.0)