September 24, 2019
Why Prevent, Detect & Respond?
The security world is looking beyond security prevention alone to prevent, detect and respond solutions. No company can prevent all security breaches, so informed companies are implementing strategies that focus as much on detection and response as prevention.
Here are some reasons why Detect and Respond are Necessary
- Because using an ISMS (Information Security Management Systems) to manage your security is best practices and required by regulations. The ISMS process uses the Identify, Protect, Detect, Respond, and Recover process to manage security. See NIST, ISO 27001, SANS and other security compliance frameworks.
- Because 100% prevention is impossible. So it is imperative to detect attacks that inevitably will get by your security.
- Attacks are sophisticated and can remain in networks for months. So, detecting them quickly after they are in your network is essential.
Detect & Respond Objectives
Security detect and respond objectives Include:
- Monitoring all key areas of IT looking for indicators of attack, or breaches
- Finding attacks quickly before they can cause damage
- Responding quickly to attacks that are detected
- Automated response if possible, accompanied by alerting
Areas that are generally monitored in strong security systems include:
- Network traffic – Looking for anomalous or malicious traffic
- Security events – from security products like firewalls, endpoint security, access control, and other security devices
- Servers and endpoints – looking for security events
- Vulnerability Scan results – Utilize real-time vulnerability scanner results to detect changes or new threats
- User Behavior – looking for anomalous behavior that might reflect an attack
If Integration of threat or attack data from multiple sources can be accomplished, then the monitoring system will be more complete. Ideally solutions include the ability to forensically search prior events and to look for root cause.
Detect & Respond Solution Alternatives
Detect and respond solutions vary by their objective and the methods they use to accomplish those objectives. Some solutions have a limited scope like endpoint EDR and others like Managed Detection and Response (MDR) solutions attempt to manage the entire detect and respond solution.
Let’s look at solutions by their objective and see how they can be used individually or stacked up to provide a more complete detection & response solution.
Individual products from security vendors that include some level of monitoring, threat detection and alerting or other threat response are in this category. These solutions are limited in scope but may be very good at what they do. Examples include:
- EDR (endpoint specific)
- UTM Firewalls
- Intrusion Detect & Intrusion Prevention systems
- Innovative Monitoring & Response Systems
Innovative Monitoring & Response
Several innovative solutions have emerged that monitor network traffic to determine whether traffic is an indication of malicious behavior. The use of AI and machine learning aids in that process. Other solutions monitor and manage traffic at the endpoint and provide micro segmentation, visibility and control.
These systems are innovative but focus on only one component of IT (network traffic). Their use might substitute for some older technologies like intrusion prevention systems.
- NetFlow Analysis
- Machine Learning (ML/AI) Network monitoring (like Darktrace)
- Zero trust Endpoint monitoring, visibility & Control– Unisys Stealth
LEVEL 2: Integrated Vendor Security with Detect & Respond
Many security vendors are architecting solutions that integrate (primarily their own) security products to share intelligence, detect threats and to provide automated response. Most of these integrate firewalls and EDR endpoint security at a minimum with the ability to view threats and automatically shut down infected endpoints. This can be extended in some cased to include email or other security systems. These solutions include:
- Vendor based integrated detect and respond security such as: Sophos synchronized security, Palo Alto, Fortinet Fabric, Trend Micro XDR, WatchGuard TDR
These systems are still mostly one vendor’s attempt to provide integrated visibility & response to threats.
Long term, these solutions extended to include SIEMs and other solutions from 3rd parties can provide a very strong protect, detect and respond solution.
LEVEL 3: SIEM based Detect & Response
The most evolved solutions can take advantage of Level 1 and Level 2 solutions and add a high quality SIEM (Security Information and Event Manager) to collect input from the network, endpoints, security devices and user behavior. By correlating and analyzing this data on an ongoing basis, more threats can be detected and threats can be detected earlier.
LEVEL 4: Complete Managed Detection & Response (MDR)
If you want a Level 3 solution, but don’t have the resources or desire to manage it yourself, 24×7 MDR services are available from security solution providers like eSecurity Solutions. Companies get ongoing monitoring, incident response, and threat containment managed by a 24×7 SOC. Threat root cause analysis is also included along with support during the remediation process. This is the best choice for many companies since integration and management of these solutions requires a high level of expertise and a large number of resources. MDR service companies know which
Long term, completely integrated security solutions from different security providers would provide best of breed as well as integrated security threat detection and response. In the mean time, finding strong Level 3 solutions from as few vendors as possible and combining MDR type services will be most companies best bet to maximize their security.