You have been following the NIST framework and have successfully identified the areas of risk and implemented protections against them. We’re now at the stage to ensure that we are able to detect any breaches that make it over the proverbial “wall.” This is a CRITICAL step that many companies unfortunately avoid because they believe they’ve done everything needed to mitigate risks in the Protect step. The fact that the Detect step can be complex and expensive may stifle risk management momentum. Those who understand risk know how important the Detection step is because hackers are energized by the game of security cat and mouse. How do you know if a hacker has learned to circumvent a protection layer or any employee has gone rogue?
According to IBM, the average time for a company to discover a breach is 206 days. That is nearly 7 months of a hacker rampaging your systems while you blissfully go about your business. If that doesn’t send a cold shiver down your spine, I don’t know what will!
You will not know if you have been breached unless you are actively doing something to detect them. The Detection layer is your canary in the coal mine.
In the NIST Detect step, SMBs:
1. Determine detection options for critical systems,
2. Implement appropriate detection along with the necessary procedures and reporting
Determine detection options for critical systems
Most companies bypass the Detection step of NIST and, if breached, allow hackers to burrow in companies’ systems for months and sometimes years. Why? Simple, Detection is demanding. It’s not as easy as installing anti-virus software that can be a set-it-and-forget-it protection level solution. Detection is laborious. The way to detect if a hacker is in your systems is to capture the hack via log files. I’m talking about many systems, each having respective log files, and each system returning thousands of actions that need to be reviewed. It is not uncommon to have well over 100,000 lines of log data to review every day. Much, if not all of the log data, is super techy and there is a level of expertise that is needed to understand them. Can you say data overload?
Firms generally have 2 paths they can take to monitor possible breaches.
Labor-intensive cutting-edge technology
This can be expensive. There are enterprise systems that can gather all the log files together and use AI and machine learning to review them in real-time looking for anomalies and hacker activity. These systems can filter out the noise to a very high degree and send only the suspect activity to someone on the security team to review. Now, instead of having to look over 100,000 lines of results, you may only need to look at perhaps 100 lines of the highest risk activity detected. This is great for sure, but it can also be very expensive. Luckily the costs are going down and this type of system detection is becoming more mainstream.
Simple technology layered together
An easier and more cost-effective way to achieve some level of detection is by implementing layers of smaller systems that add up to a good security posture. For example, a company can scan the Dark Web for any of your data and user login accounts being sold. One can implement a robust EDR solution that monitors computer activity and immediately blocks anything suspicious and logs it for review. Some companies roll out a desktop mitigation platform that allows them to monitor, detect, and control all activity at the individual device level.
Implement appropriate detection along with the necessary procedures and reporting
Once you determine your approach to detecting hackers, it’s time to roll it out to your organization. Luckily, this is the easier part of the equation and consists of establishing the policies and procedures for reviewing the data. No matter the path you choose, there is very little impact on the users or any business function. Detection is all on the backend and the heavy lifting is done by IT and your security team. If you choose to go the simple layers of the technology route, a user may notice something is up if the installed detection platform detects something bad. The program will immediately stop and the program suddenly closes on them. This is a good thing because it limits and starts isolating the breach.
The more challenging aspect of labor-intensive detection is needing someone or something to analyze the reams of information. We leverage systems with robust artificial intelligence and machine learning to greatly reduce the noise so our security techs only need to spend time reviewing actual possible risks. Along with the data, we leverage the NIST oriented policies and procedures we have to make sure that the outcome is as strong as the data inflow. Without this piece, you could have an amazing platform gathering great log data, but never know if a hacker is in your network stealing your data.
Conclusion: Detecting Cyber Risks in SMBs Using the NIST Framework
Detection is a critical step for maintaining your security. Without it, you will know too late if you have been hacked. Over time the detection systems will be integrated into the protection systems which will make life easier for everyone. In the meantime, it is time to take the section layers of your security sandwich seriously and do something about it. Don’t you want to know if a hacker is in your data? I know I do…