To Consistently and Significantly Reduce Time to Detection, Security Teams Must Combine Sophisticated Threat Defenses with Skilled Security Researchers
Breaking down barriers. It’s what humans do – breaking the sound barrier, breaking the four-minute mile, conquering the Earth’s highest mountain. Once these records are broken, these feats become nearly routine. Military aircraft break the sound barrier every day. High-school track stars can run four-minute miles. More than 4,000 people have climbed Mt. Everest.
For security professionals it has become increasingly obvious that the barrier to break involves time to detection (TTD), the window of time between the first observation of an unknown file and the detection of a threat. Based on various studies and research, the current industry measures for TTD are between 100 to 200 days. But under this scenario, once a breach is detected the damage has already been done. Credit card data, bank account information, credentials – whatever valuable digital assets you need to protect – have been compromised.
Given the reality that some attacks will get through defenses, our ability to quickly detect a compromise and then stop the exploitation of an attack is today’s true measure of security effectiveness. What does it take to break the TTD barrier and get it down to below one day so we can act and remediate faster?
First, we need to more quickly identify commodity malware. The industrialization of hacking and the greater use of commodity malware play an important role in our ability to narrow the window on TTD. As soon as a threat becomes industrialized, it becomes more widespread and thus easier to detect. Recent examples include Cryptowall 3.0, Upatre, and Dyre.
We also need to bring together as many sources of intelligence as possible along with massive amounts of data and telemetry to correlate behaviors and traffic patterns to identify zero-day threats. This analysis must be continuous to retrospectively detect malware – files that initially seem benign or are unknown, but later exhibit malicious behavior. This capability is critical in combatting a rise in evasive activity, as demonstrated by the Angler exploit kit.
Additional retrospective security capabilities include the ability to see a file’s trajectory across the enterprise, understand the scope of the attack, quarantine all affected devices, and execute automated or hands-on remediation before reattaching the device to the network. Retrospective security is critical to accelerate TTD and as well as remediation.
But it isn’t all about technology. To consistently and significantly reduce the median TTD we must combine sophisticated threat defenses with skilled security researchers. These experts bring the ability to proactively analyze the global threat landscape, continuously monitor and correlate information to detect emerging threats, identify new sources of intelligence, adapt defenses, and strive for operational excellence.
Still, some threats go unnoticed and remain unchecked in the race to deflect the onslaught of zero-day attacks. That’s where systemic response can help – the ability to trigger a system-wide response capable of correlating and analyzing all information to find, block, and contain threats everywhere, instantly, across the entire security infrastructure.
The desire to break down barriers and leave them in our wake is human nature. We understand what’s required and have the technology and skills to break the one-day barrier in TTD. Now let’s work together to make it routine.