Modeling an effective threat detection and response program

Know Your EnemyManaged threat detection and response services address a persistent security problem faced by every organization: real-time detection and response to threats from everyday cybercrimes of opportunity to highly targeted attacks. Examples of each warrant a brief mention here. Perhaps no attack vector is more common these days than the exploit kit hosted on a popular website designed to attack vulnerabilities in your employee’s web browser in a watering hole style attack during business hours. On the flip side, there’s the classic breach. These are targeted attacks performed by motivated criminal intruders intent on penetrating your network and then pivoting from host to host with the goal of monetizing your company’s sensitive data while you sleep. Company’s need to ask themselves the question, “Are we truly postured to detect either security event in terms of both people and technology?” and “Realistically, how long would it take to realize a system was recently compromised assuming detection occurred at all?” and “Are we getting maximum value out of network security capital expenditures?”Compress the Time Needed to Detect Critical Threats.Detection and response is the current industry recognized network security paradigm in an age of adversary dominance. Powerful open-source exploitation frameworks, such as Metasploit, have both proliferated and incorporated graphic user interfaces that require little skill to use effectively. That said, prevention mechanisms still have value so don’t throw out traditional NIPS and A/V just yet! But these legacy controls are not enough by itself. Additional means of threat detection are also necessary including traffic analysis, file integrity monitoring, behavior analysis, threat reputation analysis, and more. These and other useful controls’ log data can be configured to flow into a centralized system designed to create a unified network security view. That view affords network defenders new opportunities to detect threats at all stages of the kill chain.Detection, Validation, Analysis, and Prioritization of Critical ThreatsActionable intelligence necessitates validation, analysis, and prioritization. The value of validation should not be overlooked. In order to avoid wasting a scarce resource like time, event signatures must first be vetted in order to weed out false positives, leaving only high confidence events. Analysis includes contextualizing the alerted event and correlating it with additional threat indicators. Finally, each event is prioritized so customers address the most pressing issues first. The end result is actionable intelligence in the form of a security event. This and only this quality of information is promptly delivered to the customer’s secured private Portal.Good (Risk) ShrinkageA compliance audit itself never made anyone more secure but it should at minimum get the audited organization thinking critically about its own security risk posture. Numerous compliance standards reference or outright require log monitoring. A SIEM or similar event log repository is one response to said standards. However, rolling your own hosted SIEM and letting it collect dust if you don’t have the time or expertise will not deliver much value. The real value comes from how effectively you use it to promote network security by identifying threats. Managed threat detection and response services should meet compliance specifications by harnessing big data technology to both securely store logs off-site, per industry best practice, and shift through billions of records to find the signal lurking in the noise.Managed Threat HuntingIt’s not a breach until data leaves the network. Compromised client workstations systems can and do become footholds for criminal intruders to pivot toward the Internet-inaccessible endpoint systems storing sensitive information. Therefore, threats must be proactively sought out as response time is paramount. Managed detection and response services should hunt for threats at all stages of the kill chain 24/7/365.Real-time Actionable IntelligenceManaged detection and response services combine the best threat signatures available from an expansive list of security technologies, 24/7/365 threat hunting, original threat discovery techniques, and adaptive criteria taken from years of experience in order to deliver clients the real-time actionable intelligence needed to defend the modern network enterprise.

NetWorks Group is a Managed Detection & Response and Ethical Hacking Service provider. Our unique approach to security helps improve your security posture. Contact us today to talk to an expert.

Learn About Managed Detection & Response