Guide: How to build a Threat Detection and Response Program

Steven Müller

Steven Müller

It Security Consultant

August 24, 2020 at 09:11

 

Whether your organization is newly ready to evolve beyond just firewalls and antivirus, or actively investing in maturing Security Operations Center operations, this blog post will give you some key takeaways to consider.  

Many organizations may not feel urgency to ramp up a threat detection and response program because they are confident in the prevention defenses, they have in place to keep trespassers out. Preparation and prevention are important pieces of any security program, but even with the best defenses, no organization is impenetrable. A strong threat detection and response program combines people, processes, and technology to recognize signs of breach as early as possible and take the best possible action.

 

Building a threat detection and response program

First you need to gain full visibility of your environment and users. With the increase of data and toolsets in modern networks, everchanging environments, getting visibility into your assets and user activity can be challenging. However, this is a crucial first step. Organizations can lose sight of this activity data when focusing too narrowly on compliance alone. While proving compliance is important, and requires appropriate log combination and retention, many of those same data sources can also be analyzed to find potential indicators of compromise. If you want to know more about Security Operations and they work, you can read this blog post

System logs and data can help you build a picture of your network. This data is powerful, as it builds the foundation that will be analyzed to detect threats; it can also be utilized down the line for investigations or proactive threat hunting. As organization you should understand what’s most important to protect within your organization and what are the most likely entry points attackers might use. For example, the majority of breaches are initiated with compromised credentials, which makes visibility into user authentications and admin activity to find anomalous behavior a high priority for most organizations.

One of the problematic things in security operations is the balance between getting enough data and getting too much data. You must decide what alerts or forensic data to read in, but processing and storing it needs resources and can increase costs. Tweaking rules that trigger alerts usually needs to be done almost daily to be able to make sense out of some 200 events per second that one server might generate. However, if you whitelist too much, you can miss a critical anomaly.

As a next step, you need to build detection capabilities and a process to respond. There are many different types of potential attacks:

  • Known threats are those that are recognizable because the malware or attacker infrastructure has been identified as associated with malicious activity.
  • Unknown threats are those that haven’t been identified in the wild

 

Want to know more how to protect your business? Download our whitepaper, which explains how to detect, respond, and adapt in practice to cyber-attacks here »

 

Managed detection and response

 

 

Find irregularities across your infrastructure and identify known-bad attacker techniques

There are two ways to find threats: Find irregularities across your infrastructure and identify known-bad attacker techniques. In the first case, if a user logs in from New York every morning and suddenly logs in from Beijing same afternoon, this is certainly an activity of interest. User behavior analytics are invaluable in helping identify this kind of anomalous behavior quickly. These tools establish a baseline for what is “normal” in a given environment, then leverage analytics to conclude when behavior is drifting from “normal” to “not normal” behavior.

On the other side, there are a number of ways attackers can gain an initial foothold onto your network, discover new assets, and move toward sensitive data. Attacker behavior analytics can expose the various tactics, techniques, and procedures by which attackers can gain access—and profit—from your corporate network. This includes things like malware, cryptojacking and confidential data exfiltration.

A combination of user and attacker behavior analytics offers a great starting point to ensure your team is getting alerted to potential threats as early as possible in the attack chain.

 

The cybersecurity exercises

As a third step you need to know how you should respond to security incidents. Here we recommend that you do an actual test in your organization. This is in order for you to respond to the following questions: 

  1. Does your team know who is responsible at each phase of incident response?
  2. Is the proper chain of communications well understood?
  3. Do your team members know when and how to escalate issues when needed?

A great incident response plan and playbook minimizes the impact of a breach and ensures things run smoothly, even in a stressful breach scenario.

If you want to know more about cybersecurity exercises, check our whitepaper: Cybersecurity exercises expose vulnerabilities in decision-making, or read more about our cybersecurity exercises and training services here.

 

Sources:

Rapid7 is one of the technologies we use for threat detection, you can read more about response programs and get useful insights on their blog: https://blog.rapid7.com/

 

 

Related blogs