Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Needed: Breach detection correction

Taylor Armerding | May 28, 2014
It is impossible to prevent all breaches. But experts say organisations can and must do a much better job at detecting and responding to them more quickly.

Bejtlich has demonstrated his admiration for Schneier's advice by providing much more than a summary on monitoring. His latest book is titled "The Practice of Network Security Monitoring" (NSM), in which he notes that NSM is qualitatively different from continuous monitoring (CM), which he said is a "hot topic" in U.S. government circles.

The focus of CM is to find vulnerabilities and patch them. The focus of NSM is to detect and contain adversaries before they can accomplish their mission. The latter, he said, offers the ultimate chance to defeat attackers because, "prevention eventually fails."

Bejtlich agrees with other experts that the human element is key. In his new book, he writes that to provide NSM effectively requires a computer incident response team (CIRT), which can range from one person to dozens. The CIRT must not only collect monitoring data, but also be able to analyze it to find where and how an organization may have been compromised.

The good news, Bejtlich said, is that it is possible to decrease detection and response times drastically -- from the current multiple months down to hours or less. Often there is more time than that before an attacker starts exfiltrating data, he said. "Target had two-day window," he said.

"If we define success as the bad guys never get in, then we're defeated," he said. "But if I get to you before you accomplish your mission, then I win." And even if the response is longer than a matter of hours or days, any improvement can help. "Three weeks would be order of magnitude better than what we are seeing now," he said.

And if even that fails, Christine Marciano, president, Cyber Data Risk Managers, said companies should buy some financial protection -- cyber insurance, not only for themselves but also for their service providers or partners.

"Many larger organizations that contract with third-party service providers are also now requiring their providers to purchase cyber or data breach insurance to satisfy contractual indemnification requirements in the event of a data breach, as my agency has seen an uptick in such circumstances," she said.


Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.