The defender’s dilemma: why IT teams must move beyond antivirus. Posted by Shaun Farrow, 08 Oct 2021

For Security

Protect your business from cyberattacks by adopting a proactive security posture. 

In tandem with today’s rapidly evolving digital landscape, cyberattacks are on the rise. With a 62% increase in global ransomware attacks alone since 2019(1)securing your business has never been so important  and despite there being so many solutions and vendors available to businesses, creating a robust cybersecurity strategy is not as simple as it may first seem. 

Quote 1

The defender’s dilemma states that breaches are inevitable because defenders have to be right 100% of the time whereas attackers only have to be right once.”Quote 2

As stated above(2), preventative measures only have to be wrong once. Whether a phishing link or a distracted end user, a breach in your defence is now a matter of when, not if. Yet many businesses still rely solely on traditional solutions such as antivirus, which means that when something does get through, they have no visibility or awareness until it’s too late and the damage is done.

A framework for cybersecurity

To establish a solid, multifaceted defence, it’s important to consider several key elements and layer these on top of one another — which is where the National Institute of Standards and Technology (NIST) cybersecurity framework(3) comes in:

From thermostats to entry systems, TVs to environmental sensors, few businesses maintain a comprehensive list of the devices on their network. Yet 100% visibility is a prerequisite to an effective security posture, including assets, people and data. Only when you truly understand what you need to protect can you start to layer the solutions and services to fulfil that requirement.

The aim of the protection layer is to develop and implement safeguards that will prevent a cybersecurity event. It is often said that “prevention is better than cure”, and this principle is fundamental to creating an effective cybersecurity strategy.

Antivirus

Next-generation antivirus (AV) vendors can leverage the cloud to detect non-standard behaviour using artificial intelligence and machine learning. This forms a sound basis, but it’s important to note that detection is still based only on the tactics, techniques and procedures that are already known.

Firewall

Firewalling is the next logical layer, typically protecting the environment from the network edge. Firewall solutions have evolved from the straightforward block/allow list and now permit traffic based on identity, application and job role, with some even analysing traffic as it flows through the firewall itself.

Email filtering

94% of all breaches use email for the initial compromise(2). It’s an easy target as email addresses are often published or guessable and usually provide a direct path to the intended recipient — so email filtering is another key layer to a comprehensive security solution.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) offer value for money and are often bundled with other licencing. These mechanisms significantly increase the difficulty of hacking. In fact, it’s estimated that 80% of breaches could have been stopped with the use of MFA or 2FA(2).

Employee awareness

It’s sometimes overlooked that employees can be your greatest asset when it comes to prevention. By regularly delivering cybersecurity awareness and education sessions, your workforce can pick up on events or behaviours that may otherwise go unnoticed by automated software — eg, emotive or out-of-character language encouraging an end user to click a link in an email.

Neglecting to prepare for an attack could have devastating consequences for a business, which is why Business Continuity and Disaster Recovery plans are essential.

A recent Cybereason report(4) which surveyed businesses that have been hit by Ransomware attacks highlighted some interesting findings:

  • Nearly 75% had a specific plan or policy in place to manage an attack, yet just under 60% believed they had the right people in place to get the job done
  • 34% were forced to close their organisation for some period of time
  • 80% of those who paid a ransom experienced another attack
  • Only 46% regained access to their data following payment; some or all of the data was corrupted

Indeed, the National Cyber Security Centre (NCSC) recently revealed that a large unnamed UK organisation paid a ransom of £6.5M and regained access to their files — only to be hit again two weeks later because they performed no incident response(5).

Hypothetically speaking, it’s easy to suggest that a business would simply not pay a ransom — after all, who wants to be funding cybercriminals? However, when actually faced with such a decision — either pay the ransom or lose the data and start from scratch — it becomes a more challenging question to answer.

Furthermore, IBM has reported that the average time to identify and contain a breach has increased from 200 to 280 days(5), which highlights the need for a comprehensive backup solution — not simply one that restores to before the ransomware event takes place but something that goes back long enough to predate the breach itself. Even then, it’s difficult to know when exactly to restore from to avoid reinstating the same malware.

An effective incident response involves experts forensically examining a machine to understand the detail and timeline of an incident, thereby arming the business with the information they need to recover and perform whatever remediation is required.

The missing pieces

While the above three essentials — Identify, Protect and Recover — are often incorporated within traditional cybersecurity solutions, the remaining two categories are frequently neglected despite their significance.

The Detect and Respond elements enable an organisation to shift the entire dynamic of the defender’s dilemma, discovering and neutralising a threat before the threat actor has been able to achieve their goal. And turning a reactive approach into a proactive one ultimately saves money, time and reputation. Here’s an overview of some of the key options available to achieve this additional layering.

Security Information and Event Management

Security Information and Event Management (SIEM) ingests logs from as many devices as possible across the network. Most businesses that have adopted SIEM do so to comply with data retention policies which are a requirement of their regulatory bodies — but without the data being actively reviewed and enriched, a SIEM solution has limited benefit regarding early detection.

However, in the event of a breach, it will increase the chance that all the information is readily available for the incident response team, thereby reducing cost.

Security Orchestration, Automation and Response

Going one step further, NextGen SIEM solutions allow for compliance but also aid detection when the data is enriched by including Security Orchestration, Automation and Response (SOAR). In addition to grouping alerts from various applications and appliances into an incident, some solutions allow for limited integration with a company's security stack.

Endpoint Detection and Response

The downside to SIEM and SOAR is that they have a significant cost. For companies where compliance isn’t the deciding factor, Endpoint Detection and Response (EDR) is a more cost-effective middle ground. EDR leverages the AV agent on the endpoint and is simply an add-on to that licence. The agent will stream information to a centralised database where it remains and is available for retrospective analysis.

Extended Detection and Response

Extended Detection and Response (XDR) is a more comprehensive solution encompassing EDR but also including cloud, network and firewall. Conceptually similar to SIEM and SOAR, XDR can dynamically update firewall rules and isolate users as part of the response.

Security Operations Centre

Utilising the above tools alone may allow earlier detection of a threat actor, but to be truly effective this data needs to be proactively interrogated by being paired with the monitoring and analysis capabilities of a Security Operations Centre (SOC). This is referred to as ‘threat hunting’ — identifying unusual behaviour and checking for any Indicators of Compromise (IOCs) within that historic dataset — and is how businesses can even the playing field between network attackers and defenders.

Realistically though, few businesses have an internal SOC, and the tools detailed above come at a significant cost — meaning the two combined are out of reach for most companies. This is where Managed Detection and Response (MDR) comes in.

Managed Detection and Response

MDR involves outsourcing the combined Detect and Respond elements to specialists who investigate alerts and incidents and assist in remediation where necessary. By using automation and scaling their infrastructure, MDR vendors can achieve the same goal at a more accessible price point.

Getting serious about cybersecurity

Cybersecurity doesn’t make for light reading, and its complexities are exacerbated further by a lack of in-house expertise in many businesses. So to maintain your brand reputation, prevent significant loss of both data and revenue, and avoid financial penalties, it’s imperative that you have strong capabilities in place. At Bistech, we take a tailored, multi-layered approach to security to help you protect, detect and respond to ever-changing cyber threats. To discuss your security needs, call our expert team today on 03330 11 22 55.

 


(1) Rushe & Borger, 2021, ‘Age of the cyber-attack: US struggles to curb rise of digital destabilization’
(2) Libicki et al, 2015, ‘The Defender’s Dilemma: Charting a Course Towards Cybersecurity’
(3) National Institute of Standards and Technology, ‘Cybersecurity Framework’
(4) Cybereason, 2021, ‘Ransomware: The True Cost to Business’
(5) IBM Security, 2020, ‘Cost of a Data Breach Report’