Step 3: Detect

Step 3: Detect | Maintain visibility into your network so you can detect intrusions

Ensuring that a detect function is properly established within your organisation is crucial towards building and maintaining cyber resilience as the sooner you can detect a cybersecurity event, the quicker you can mitigate its impact.

It’s a mistake for SMEs to believe that cyber-attacks are easily or immediately detected.

During 2019, the average time for the identification of a breach was 206 days with the average lifecycle of a breach being 314 days (from the breach to containment).

According to the Chartered Institute of Information Security (CIISec), the biggest cyber-attack of 2020 has “already happened”, it’s just not yet been detected.

Consequently, SME’s need to put detection mechanisms in place to prepare for the expected – a cyber-attack- it is not a matter of ‘when’ it will occur but ‘if it will occur’.

detect

Timely detection

NIST defines the detect function as the function to “develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.” The goal is to discover cybersecurity events in a timely fashion so that attackers do not have adequate time to infect areas of the business and steal increasing levels of data. Speeding up detection by a thorough identification of risks and implementation of protective security allows an SME to significantly improve protection of crucial data assets.

In establishing a robust detect function, it’s essential to address the following questions and know that processes are in place to maintain adequate detection capabilities:

  • Who’s responsible for detecting suspicious activity and events?
  • How should these detections be reported and what should you do about them?
  • How can you test and constantly improve your detection systems?

It’s helpful to review these three outcome categories described within the NIST detect function and verify if you already have necessary processes in place or need to review them with your IT department.

Ensuring anomalies and events are detected, and their potential impact is understood

In order to detect anomalies, there needs to be a baseline as to what is normal in terms of activity across your network and IT infrastructure. That baseline can only be established if the IT department has put in place the necessary monitoring, collection, and analysis of data across multiple points and then established incident alert thresholds. In simple terms it’s about setting up control points, monitoring and knowing to take action when anything appears to be outside of normal activity. Those triggers can be the first indicators of a cyber-attack and save invaluable time in terms of reaction and containment.

Implementing continuous security monitoring capabilities

This outcome calls for full end-to-end monitoring of IT networks and infrastructure in order to identify potential security issues and determine if actions taken as part of the protect function created the necessary safeguards. Your IT department should ensure the continuous monitoring of all aspects of the IT network, physical environments, user access and third party allowed activity. It’s strongly advised to have in place automated and persistent vulnerability tests performed on protected systems.

Whilst comprehensive penetration testing may be prohibitively expensive for an SME, cost effective automated vulnerability scanning tools are readily available to SMEs. It’s worth noting that hundreds of security vulnerabilities are reported in network-connected systems, devices, and software each week, yet 85% of organisations globally have not fully deployed automation in their cybersecurity processes).

Maintaining detection processes to provide awareness of anomalous events

This outcome requires that detection procedures and processes are put in place and regularly tested to ensure timely and full awareness of potential cyber-attacks. Aside from your own need to know about a breach as soon as possible, it is also important to recognize that, where a breach involves personally identifiable information (PII), there is a mandatory reporting requirement to notify your relevant supervisory authority, without undue delay and, where feasible, not later than 72 hours after having become aware of the attack.

In any event, processes need to be documented, regularly tested, and continually improved. They should define clear ownership as to roles and responsibilities, and describe how to detect unauthorized access to data as soon as possible. Detection processes require proactive security management such as comprehensive security patching. Patches are software provider recommended changes applied to correct the weakness described by a vulnerability ensuring all critical systems and applications are up to date. It’s also recommended that your IT team regularly reviews all user-based privileges and access controls to help reduce risk exposure and also routinely remove and disable any unnecessary or no longer required components and tools.

Are you already completely sick of IT? Let Us help!