Feb 29, 2024The Hacker NewsAttack Surface / Incident Response

As an IT leader, staying on top of the latest cybersecurity developments is essential to keeping your organization safe. But with threats coming from all around — and hackers dreaming up new exploits every day — how do you create proactive, agile cybersecurity strategies? And what cybersecurity approach gives you the most bang for your buck, mitigating your risks and maximizing the value of your cybersecurity investments?

Let’s take a closer look at the trends that are impacting organizations today, including the growing reach of data breaches and the increase in cybersecurity spending, and explore how you can get the most out of your cybersecurity resources, effectively securing your digital assets and maintaining your organization’s integrity in the face of ever-evolving cyber threats.

Successful data breaches

In 2022, the number of people affected by data breaches increased significantly. According to the Identity Theft Resource Center’s 2022 Data Breach Report, more than 1,800 data compromises were reported in 2022 — 60 fewer reports than in the previous year — but the number of people impacted by data breaches jumped by a whopping 40% to 422.1 million.

And data breaches can cause real, long-lasting impacts, as proven by some of the most infamous data breaches in history:

• eBay: Hackers stole login credentials for just a few eBay employees and then pulled off a massive data breach that stole the personal information and passwords of more than 145 million users. Experts believe that the hack had ramifications on users outside of eBay — as people tend to reuse passwords on multiple sites, there’s a good chance that hackers were able to access other online services using the stolen credentials.
• Yahoo: In one of the biggest data breaches in history, Yahoo estimated that hackers had compromised over three billion accounts. Although hackers didn’t get passwords, they did gain access to users’ security question answers, increasing the risk of identity theft. The company ultimately paid $35 million in regulatory fines and had to provide nearly 200 million people with credit monitoring services and other restitution valued at $117.5 million.
• Marriott: Hackers were able to spend nearly four years accessing Mariott’s Starwood system, stealing data from more than 500 million hotel customers. Cybercriminals stole everything from customer names and contact info to passport numbers, travel information, and financial information, including credit and debit card numbers and expiration dates. In addition to the massive blow to its reputation and loss of consumer trust, the company faced steep fines, including a £99 million fine from the UK Information Commissioner’s Office (ICO) for violating British citizens’ privacy rights under the GDPR.

Given the escalating scope and impact of data breaches, it’s clear that CISOs and IT teams have their work cut out to ensure their organization is prepared for anything.

Cyber spending trends

Unsurprisingly, with the growing cybersecurity problem, organizations are spending more money to bolster their cybersecurity resources.

Getting the most from your cybersecurity resources

Clearly, there’s no shortage of cybersecurity threats. So, how can an IT professional ensure they are maximizing the value of cybersecurity resources and getting every ounce of protection from cybersecurity investments? A risk-based approach, where you identify and prioritize your greatest vulnerabilities, and correlate threat exposure to business impact, will help protect organizations and optimize spending decisions.

To adopt a risk-based approach, deploy the following strategies:

• Focus on your external attack surface. Your business’ external attack surface includes all of your company’s accessible digital assets — which present an enticing target for bad actors. You can’t fix a problem if you don’t know it exists; use a proven external attack surface management (EASM) solution to regularly scan and monitor your assets for potential security gaps.
• Prioritize protection of end user credentials. As eBay found, gaining access to just a handful of user credentials can effectively give hackers an open-door invite to your network and data. Ensure you provide employees with regular, ongoing security training to help them become more adept at identifying and appropriately responding to cyber risks. Deploy robust identity and access management protocols across your organization. And use a password auditor to ensure that your employees aren’t using passwords that have already been breached or compromised.
• Prioritize vulnerability remediation across your networks and cloud services. Invest in a risk-based vulnerability management solution that will help you prioritize threats based on the highest risks posted (based on likelihood and exploit availability), rather than wasting time and resources on vulnerabilities that pose little threat.
• Integrate a threat intelligence solution. To proactively adapt your organization’s defenses against emerging threats and attack vectors, you should invest in a threat intelligence solution that provides real-time insights into evolving threats to your organization and industry. By focusing your attention (and spending) on high-impact, likely-to-be-exploited vulnerabilities, you can strategically deploy resources to address your most pressing security concerns.

Prioritize a risk-based approach to boost cybersecurity ROI

Today’s digital landscape requires IT pros to prioritize a risk-based approach to cybersecurity, ensuring that your investments address current and future threats. By strategically deploying your organization’s resources — using robust solutions and focusing on high-impact vulnerabilities — you’ll be taking steps to keep your organization safe, maintain your operational integrity, and boost your cybersecurity ROI.

Did you know that Network Detection and Response (NDR) has become the most effective technology to detect cyber threats? In contrast to SIEM, NDR offers adaptive cybersecurity with reduced false alerts and efficient threat response.

Are you aware of Network Detection and Response (NDR) and how it’s become the most effective technology to detect cyber threats?

NDR massively upgrades your security through risk-based alerting, prioritizing alerts based on the potential risk to your organization’s systems and data. How? Well, NDR’s real-time analysis, machine learning, and threat intelligence provide immediate detection, reducing alert fatigue and enabling better decision-making. In contrast to SIEM, NDR offers adaptive cybersecurity with reduced false positives and efficient threat response.

Why Use Risk-Based Alerting?

Risk-based alerting is an approach where security alerts and responses are prioritized based on the level of risk they pose to an organization’s systems, data, and overall security posture. This method enables organizations to concentrate their resources on addressing the most critical threats first.

Benefits of risk-based alerting include efficient resource allocation and more:

1. By prioritizing alerts based on risk, organizations can allocate their resources more efficiently, since they save time.
2. High-risk alerts can be addressed promptly, while lower-risk alerts can be managed in a more systematic and less resource-intensive manner.
3. Security teams often face alert fatigue when dealing with a high number of alerts, many of which may be false positives or minor issues. So, risk-based alerting helps reduce alert fatigue by allowing teams to focus on alerts with the greatest potential impact. This can be crucial in preventing or minimizing the effect of security incidents.
4. Prioritizing alerts based on risk enables better decision-making. Security teams can make informed decisions about which alerts to investigate first and how to allocate resources based on the potential impact on the organization.
5. It also promotes the integration of threat intelligence into the decision-making process. By considering the context of threats and understanding their potential impact, organizations can better assess the severity of alerts.

3 Steps to Establishing Your Risk-Based Cybersecurity Strategy

1. The Role of NDR in Risk-Based Alerts

Network Detection and Response (NDR) plays a key role in facilitating or enabling the implementation of risk-based alerts within an organization’s cybersecurity strategy.

NDR solutions are designed to detect and respond to threats on your network and provide insights into the potential risks of various activities or incidents: they analyze the patterns and behavior of network traffic to detect anomalies that indicate potential security risks.

With this contextual information about network activity, different weights of analyzers in the network, and an aggregation of various alarms up to the alarm threshold, they can define different alert levels depending on the weighting of the evidence. Additionally, specific critical zones can be defined in asset management. This context is crucial for evaluating the severity and potential impact of security alerts, aligning with the risk-based approach.

2. Leveraging Threat Intelligence Feeds for Enhanced Risk Assessment

Since NDR solutions are integrated with threat intelligence feeds, they enrich the data used for the analysis and categorization of network activity. Criticality can potentially be enhanced by OSINT, Zeek, or MITRE ATT&CK information. This integration enhances the ability to assess the risk associated with specific alerts.

Some NDR systems offer automated response capabilities, serving organizations in responding quickly to high-risk alerts. This aligns with the goal of risk-based alerting to address critical threats immediately:

• A risk score is assigned to detected events or alerts based on various factors, including the severity of the detected activity, the context in which it occurred, the affected assets or systems, and historical data. The aim is to assess the potential damage or impact of the detected event.
• In the risk booster, different elements influencing risk assessment are weighted differently. For example, activities involving critical assets or privileged accounts may receive a higher risk score. Events deviating significantly from established baselines or patterns may also be weighted more heavily.
• Correlated alerts play a crucial role in uncovering hidden attacks within the background of normal network activities. Increased correlation of alerts significantly reduces the workload for analysts by minimizing the number of individual alerts they must address.

3. Automating Responses to High-Risk Alerts

The strategic use of automation is of utmost importance in strengthening network defenses against potential attacks, particularly considering the substantial daily communication volumes within networks that attackers could exploit.

Since user and entity behavior analysis is already integrated into the NDR to analyze the behavior of users and entities (e.g., devices) within the network, insider threats, compromised accounts, or suspicious user behavior can be detected more easily and used for risk assessment.

Because risk scores are not static but change over time, they can be adjusted as new information becomes available or the security landscape evolves. If an originally low-risk event escalates to a higher-risk event, the risk score is adjusted accordingly.

Leveraging NDR with Machine Learning For Dynamic Risk Assessment and Enhanced Cybersecurity

Machine learning algorithms can sift through large volumes of data to establish standard patterns or baselines of network behavior. These baselines act as a benchmark for identifying deviations that could signal suspicious or malicious activity. The automation allows security teams to concentrate their efforts on investigating and mitigating high-risk alerts, enhancing overall efficiency. Machine learning algorithms can continuously learn and adapt to new patterns and threats, making the security system more adaptive and capable of tackling emerging risks. The continuous learning is invaluable in the rapidly evolving landscape of cybersecurity.

By integrating NDR capabilities with machine learning, organizations can dynamically evaluate the risk associated with various activities on the network. Machine learning algorithms can adapt to evolving threats and changes in network behavior, contributing to a more precise and responsive risk assessment.

Examples & Use Cases: More Detection, Less False Alerts

Given an organization utilizes a Network Detection and Response (NDR) solution to monitor its network traffic, the organization assesses risk scores for detected events based on their potential impact and contextual information.

1. Unauthorized Access Attempt:

An external IP address attempts to gain unauthorized access to a critical server. The risk factors are the affected asset: a critical server containing sensitive customer data.

Anomalous behavior: The IP address has no prior history of accessing this server. The risk score is high. The NDR system assigns a high-risk score to the alert due to the involvement of a critical asset and the detection of anomalous behavior, suggesting a potential security breach. The high-risk alert is promptly escalated for investigation and response.

2. Software Update:

In this alert, a routine software update event is described, where an internal device initiates an update from a trusted source. The risk factors include the affected asset (a non-critical user workstation) and the routine behavior of the update from a trusted source, resulting in a low-risk score.

The NDR system assigns a low-risk score to this alert, indicating that it involves a non-critical asset, and the behavior is routine and expected. As a result, this low-risk alert may be logged and monitored but does not require immediate attention.

Conclusion: That’s Why It’s Superior to SIEM

NDR is considered superior to Security Information and Event Management (SIEM) for risk-based alerting because NDR focuses on real-time analysis of network traffic patterns and behaviors, providing immediate detection of anomalies and potential threats, whereas SIEM relies on log analysis only, which may have delays and might miss subtle, network-centric threats as well as creating multitudes of alerts (false ones too).

Last but not least, NDR incorporates machine learning and threat intelligence, enhancing its ability to adapt to evolving risks and reducing false positives, leading to more accurate and timely risk assessments compared to traditional SIEM approaches.

So, ready to upgrade and enhance your detection capabilities? If you’re still contemplating, download our new Security Detection whitepaper for a deep dive into how risk-based alerting can save you costs and time and drastically reduce your false alerts.