Today, as security programs have increased in sophistication, so too have threats, which are getting more advanced and harder to detect – leaving organisations that don’t upgrade their security systems more vulnerable.
You can’t catch a thief you can’t see
Realising this, we at NTUC Enterprise have been actively looking into new security technologies that help address these rising concerns. One of the key areas I have been looking at is how to better protect our endpoints and increase our visibility into what goes on within these devices.
With over 20,000 endpoints across PCs and IoT devices under the group to secure, and the potential to grow to 30,000 in the near future, we realise thatincident detection and response is becoming critical. So I started looking into endpoint detection and response (EDR) technologies.
Rich, granular endpoint data serves as the basis for root cause analysis, which shows where the threat originally entered the endpoint (e.g. email, web, USB, application), and how it was executed. This is critical for businesses to understand the injection vector and the activities that have taken place to progressively infect an endpoint.
EDR adoption derives from the need to sharpen visibility, understand the multitudes of different threats and attack types, and respond to them in a timely and effective manner. With EDR, security teams can also do proactive threat hunting. Swiftly detecting and removing a threat from an endpoint, or isolating an endpoint in a massive network, can potentially thwart a large-scale infection down the line.
This is what has drawn me to EDR in the beginning. But technology is only part of the answer to the overarching situation.
So many grey alerts, so few cybersecurity professionals
A grey alert is created by a cybersecurity detection tool when it comes across a file or an incident with an undisclosed behaviour or characteristic.
Grey alerts can be generated when an unwanted but otherwise safe action is initiated. In some cases, however, grey alerts can portend the existence of a sophisticated threat that cannot be identified by traditional security solutions. This is why an organisation’s security team should always analyse a grey alert to ascertain its true nature and determine what steps to take.
But as threats increasingly bypass traditional systems, grey alerts can pile up quickly, overwhelming the security team and creating operational inefficiencies. In the industry, we call this the “alert fatigue”. And what do people do when they’re confronted with thousands of alerts on a daily basis (I’m not exaggerating)? They miss things or let things slide. Organisations can use EDR to investigate these alerts but doing so is labour-intensive.
That’s not the only challenge. In the cyber world, detection and response is a set of processes that require specialised skills and years of experience to handle. In fact, an ESG survey reveals that 83 percent of organisations agree that using EDR effectively demands advanced security analytic skills.
These skills are not always readily available and can’t be easily trained, because cyber skills cover a wide range of disciplines. These experts are expensive and in high demand, which means that not every organisation can afford to have in-house staff that can really get the best results from these EDR tools.
Managed detection and response (MDR) then comes into the picture to help organisations like ours ease the skills gap by providing 24/7 alert monitoring and threat-hunting capabilities from experienced cybersecurity professionals – powered by big data and AI technologies. By offloading the task to skilled MDR professionals, my team is able to focus on security projects that are important for the business and give them opportunities to grow professionally.
With shared environment data, the MDR team can help identify which threat we need to prioritise. This also allows the MDR team to escalate threats to specific high-value endpoints as requested and determined by my team.
More data, more visibility
The conversation about detection and response started with endpoints, but did not stop with endpoints. Now organisations, including NTUC, are keen to replicate what EDR offers on the endpoint, to the network, servers, emails, and many more touchpoints in the IT infrastructure.
Wouldn’t it be great if we could not only wield a microscope at endpoints, but also the periphery activities around the endpoint? For example, today, 90 percent of the threats arrive via email. We can potentially enrich EDR with email data. When an endpoint is hit by malware, we can pull data from email security technology on which particular email delivered the malicious file. Similarly for network, it’d be a godsend if we could now see how the malicious file traverses from endpoint to endpoint within the same network, allowing us to intercept the infection chain and conduct a thorough clean-up, before an attack becomes a fait accompli.
By the end of the day, organisations want more visibility into every nook and cranny of their IT infrastructure. And what enriches visibility? Data. The industry is decidedly moving towards XDR, a form of data-powered defence that provides omnipresent, nuanced visibility into attacks.
I, for one, am excited about what the future of detection and response holds.