The ever-evolving threat landscape over the last few years should have prompted organizations of all sizes to revise their data protection methods. The volume of incoming data is now staggering, and will only continue to increase—and much of that data is sensitive or of great value to cybercriminals. Data may be structured or unstructured, distributed across numerous locations and be encrypted or unencrypted. Thus, many organizations are attempting to protect data without knowing what they have, whether it is valuable or even where the data resides.
As the era of big data has exploded, so, too, have the number and size of cyberattacks. Hackers have grown increasingly adept, often refining their skills beyond those of many cybersecurity experts. Today’s hacker may be an idealistic “lone wolf,” but he or she is more likely to be an employee of a foreign government or associated with a gang of highly organized criminals. This means that attacks can be carefully planned and executed over many months, probing a target’s vulnerabilities repeatedly until an intrusion is eventually successful.
Cybersecurity teams often are at a disadvantage when it comes to protecting data. It has become increasingly difficult to find and retain qualified, experienced cybersecurity experts, and this talent gap won’t be narrowing significantly anytime soon. Economic issues have forced many organizations to trim their budgets, which can result in reduced funding for the security operations center (SOC) or reduced staffing levels. However, even major corporations with large cybersecurity budgets and massive teams are finding it difficult to prevent breaches and keep their data secure. The breaches suffered by Home Depot, Sony and other high-profile corporations—as well as breaches at the U.S. Office of Personnel Management and the Pentagon—demonstrate that cybercriminals are winning more than their fair share of the battles.
It is not that organizations are unaware of the need to protect their data. Virtually all companies have some type of cybersecurity program in place. However, most of them choose to take either a reactive approach to threats or a proactive security stance. But what they truly need is an approach that integrates both methods.
Reactive vs. Proactive: The Differences
With a reactive approach, action does not begin until an incident occurs. This does not necessarily mean that a breach has occurred; it simply means that some unusual or threatening activity has triggered an alert. Unfortunately, an organization can receive several thousand alerts in a single day. Many will be “false positives” and others may have been blocked by defenses, but some may represent a successful penetration of the system. Once alerted, the company’s incident response plan is initiated; in the beginning, the goals are to contain the threat and restore service. Forensics, analysis and efforts to prevent a recurrence follow quickly.
With a proactive approach, organizations try to detect potential threats before an incident occurs. Files from unknown or suspicious sources can be quarantined automatically for investigation. If found to be malicious, the source, signature or other identifying characteristic can be fed automatically back into the system to block any additional attempts at the gate.
A proactive approach also includes regular, planned hunting exercises to detect threats that may be lurking in the system but not yet detected or perhaps not yet detonated. Although ad hoc hunting can be accomplished to some degree if performed by experienced analysts, the best method is to automate certain steps so the efforts are sustainable and repeatable.
Why Organizations Need Both Approaches
It is always better to prevent a breach than recover from one. However, should—or when—an intrusion occurs, every organization needs a mature, workable, detailed plan to react to the incident. All employees need the training and experience to know what they need to do when the incident response plan is activated.
Despite the need to have a solid plan to react to incidents, blocking potential threats can be more economical, faster and safer. Therefore, organizations need to be both proactive and reactive to provide the best security for their data. The key is to find the proper balance between the two approaches. Finding the right balance requires evaluating the budget, the skills of staff members and other resources that might be available.
For both proactive and reactive methods, however, automation is essential. Manual processes simply cannot compete with automation when it comes to speed, cost, accuracy and risk mitigation. With the number of attacks growing by the day and hackers becoming increasingly more adept and persistent, automation provides the best way for organizations to stay one step ahead of the attackers.
About the Author / Rishi Bhargava
Rishi Bhargava is co-founder and VP of Marketing for Demisto, a cyber security startup with the mission to make security operations “faster, leaner and smarter.” Prior to founding Demisto, he was vice president and general manager of the Software Defined Datacenter Group at Intel Security, and before Intel, he was vice president of product management for Datacenter and Server security products at McAfee, now part of Intel Security. He has more than a dozen patents in the area of computer security. He holds a BS in Computer Science from Indian Institute of Technology, New Delhi, and a Masters in Computer Science from University of Southern California, Los Angeles.