The Surprising Truth About Threat Detection and Response

When it comes to disease, doctors and health organizations often preach the benefits of prevention over detection. The reason is obvious and irrefutable: It makes much more health sense to be proactive and catch something early before it can cause real harm - and also limit the potentially high treatment costs.

But over the past several years, the cybersecurity industry has flipped this way of thinking on its head. When we asked 1,414 security professionals from around the globe, as part of the 2016 Security Pressures Report from Trustwave, to name the security responsibility they face the most pressure to address, 40 percent cited the detection of vulnerabilities, malicious activity or compromises.

Far fewer specified feeling pressured by responsibilities that could fall under the "prevention" umbrella: blockage of malware, social engineering attempts and vulnerabilities (through patching).

If this is indeed a sea change in the way in which you are thinking about security for your organization, it's important to understand why and how to do it effectively.

For starters, you probably have become far better at preventing threats that can be classified as "low-hanging fruit," such as ones that take advantage of widely known vulnerabilities, from entering your environment.

Still, it's possible you are continuing to overinvest in traditional perimeter technologies, which are limited in their capabilities to defend against more targeted attacks - now a very common type of attack in which criminals invest ample time and resources into exploiting a particular organization with custom malware. When these threats pass by your frontline defenses, you tend not to know about them, and they can laterally advance across the corporate network to reached prized assets like sensitive data and intellectual property.

Thus, you must change the perception of security and accept that intrusions are going to happen - and you must detect them before it's too late and respond to them before real damage is done.

That pesky security skills shortage

The reason, however, why so many companies feel pressured when it comes to detection is because they are poor at doing it. Part of that is due to attackers deftly tweaking threats to evade identification, but also because organizations often lack the necessary skills to assess indicators of attack and compromise and isolate a threat once it's made its way inside.

The 2016 Security Pressures Report from Trustwave found that shortage of security expertise now ranks as the third-biggest operational pressure facing security professionals, up from the eighth position last year. In the same vein, when we asked respondents to name their top security wish for 2016, 20 percent cited more security expertise, but interestingly just three percent named staff augmentation. That is proof that companies are starting to realize that throwing bodies at the problem isn't going to solve it. They may have an open headcount, resumes pouring in and even existing employees (and budget) to fill the roles, but they are not discovering the right fits.

For you to mature your detection and response, you need to ensure skilled personnel are at the ready to help you make sense of the "noise," meaning you require people who can comb through alert data to minimize false positives and negatives to determine and prioritize which threats must be addressed, especially in an age when so many new devices are coming online and data is traveling to so many places, including third-parties.

Threat monitoring, analysis and management solutions, for example, not only require basic system administration to perform tasks like running health checks on software, hardware and storage - but also more seasoned skill sets, including the ability to examine data, knowledge of systems across the IT infrastructure, experience with nearly all security point solutions, and the ability to define and analyze threat correlations. Many companies lack this range of abilities in house.

Gaining visibility and insight into what is happening on your network doesn't just involve collection and analysis of logs, vulnerability data and traffic flow - but also requires actionable external data and intelligence (such as the latest exploits and attacker techniques) and an understanding of how these may impact your business.

The same goes for incident response. Businesses often fall short in being able to identify the source of an incident, isolate the affected systems, minimize the repercussions through containment, establish a removal and remediation strategy, and, finally acquire and analyze forensic data - never mind readying themselves for such an episode in advance of it happening.

So where do you find these seasoned professionals if they aren't showing up in your lobby, donning a suit and ready for an interview?

One way you can counterbalance the skills and visibility deficit is by partnering with a managed security services provider, which can provide all of those detection and response capabilities on your behalf.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.