Johannesburg, 23 Jul 2024
Effective managed detection and response (MDR) and incident response preparedness can result in a 90% reduction in cumulative risk of a serious cyber incident, while a comprehensive security operations approach, including vulnerability management and security awareness training, could push that towards 99%.
This is according to Nathan Little, Vice-President of Incident Response at Arctic Wolf, who says comprehensive in-depth cyber defence is transformative for organisations.
Little says: “The value of cyber security solutions is uniquely difficult to quantify. To appreciate the value of a risk reduction, it’s first necessary to quantify the magnitude of the underlying risk. A 90%-plus reduction in risk is impressive – but for a negligible risk, it may not be very important. On the other hand, a 90% reduction in a serious risk is an extremely valuable outcome.”
He notes that IBM found the average cost of a data breach in 2023 was $4.45 million dollars. “From this, we can see that cyber attacks represent a serious threat to the business,” he says.
Little says Arctic Wolf research has found that security operations incident avoidance best practices slash cyber risk and losses due to breaches.
“The first major security operations area to consider is detection and response activities, an umbrella category that includes data collection across attack surfaces and IT systems to both identify attacks in progress and enhance security on an ongoing basis. These practices, when effectively implemented, can drive a 90% overall reduction in incident risk, based on our observations,” he says.
Little highlights key practices:
1. Network detection
“In incident response, we see many attacks that could have been stopped in their tracks if detected early through suspicious network traffic, MFA fatigue attempts, exploitation of known bad passwords or other key network signatures,” he says.
2. Agent deployment
The network isn’t the only attack surface where visibility is valuable, Little says. “Many of the incidents we handle involve the execution of malicious code on the endpoint, a spot where timely detection, containment and response could have made a difference. In a comprehensive detection and response practice, agent visibility represents a key component of total detections – about 30%, based on our data.”
He adds: “Of course, by the time malicious code is attempting to execute on the endpoint, there’s going to be some amount of response required, but endpoint agents can make the difference between a minor headache and a serious disaster.”
3. Security posture guidance
Little says detection and response solutions can also drive security guidance, including everything from best practices to configurations of other security tools. Such insights can complement and enhance every other security practice.
4. Vulnerability management
The next major security operations area that can reduce the likelihood of a cyber incident is vulnerability scanning.
Little says: “Our Arctic Wolf Incident Response research and response experience shows that over 70% of cases we respond to involve exploiting a known vulnerability or internet-facing security weakness, such as remote access without MFA, for initial compromise. Scanning for these vulnerabilities and implementing a patching cadence to repair the most serious ones can dramatically reduce these incidents.
“Of course, what fraction of such incidents can be eliminated through vulnerability management depends on how the programme is implemented and the risks it’s seeking to address. In addition, the top line number may vary from organisation to organisation.”
5. Awareness and training
Little notes that it’s not just systems that need to be tuned and protected. “Staff require the same investment. Awareness and training programmes can build a culture of security, reducing the likelihood that human error will offer an initial foothold to attackers – something we found happened in 28% of cases,” he says. “Again, identifying what fraction of those 28% of incidents can be eliminated through awareness investments is a complex, case-by-case analysis.”
6. Incident response preparedness
Little says preparing for incident response is also crucial. “Organisations that haven’t done any incident response planning are typically caught by surprise in the event of an actual attack. Nobody knows who to call or what to do. This cedes vital ground to the attackers, who have been granted precious hours to run amok, encrypting systems, stealing data and wreaking other havoc,” he says. “With an incident response plan, including backup and restoration strategy, and an emergency team identified in advance, this chaos can be avoided, giving the defenders and responders like me an advantage.”
Little concludes: “Each of these security practices is valuable on its own, and I’d recommend any one of them. But it’s when these practices are combined through a unified security operations solution, we assert it’s possible to achieve dramatic reductions in overall risk.”
Share