Lack of visibility plagues almost 90% of security leaders, who feel they need more visibility into the data and systems they must protect. Without this visibility, they cannot adequately understand their entire security posture, identifying when or if attacks are occurring at any given time. Their poor visibility is driven by changes in their environment to adapt to the rapid speed of business and the adoption of new technologies that help them keep pace. It makes it challenging to meet the third pillar of “Detect” in the NIST cybersecurity framework.
This blog investigates the challenges modern organizations face in meeting the Detect pillar and what factors they need to look for in solutions that promise to deliver these capabilities
Detriments to Detect
In the NIST Cybersecurity Framework (CSF), the “Detect” pillar focuses on identifying and detecting security incidents as rapidly as possible. It delivers early warnings of potential incidents allowing staff to take action to mitigate them. With the adoption of cloud technologies, remote workforces, and 3rd party software solutions, it has become more challenging for technologies to deliver the necessary depth of visibility for the “Detect” pillar. Traditional sensors such as firewalls, antivirus software, and intrusion detection systems (IDS) were designed for conventional environments and did not meet the needs of every use case anymore..
Complexity of Organization
Full detect capabilities require visibility into your organization’s entire attack surface. This includes visibility across data, networks, devices, and systems, no matter if they reside internal to the organization or are held by third parties. Traditional security controls are often designed for on-premise resources and excel in these locations. Unfortunately, they are often ill-suited to adapt to the modern expanded attack surface, leaving significant gaps in visibility and allowing incidents to occur without any method of alerting.
These environments require new solutions designed for diverse infrastructures such as the cloud. More recent tools have evolved that can see across these dynamic environments and sift through the massive volumes of data generated by them. Using advanced technologies such as machine learning, these technologies can develop actionable insights which drive alerting and monitoring capabilities.
Visibility Drives Responses
When determining appropriate controls in the Detect pillar, it is crucial to understand the different factors involved in creating valuable visibility. Solutions need a combination of depth of vision, accuracy, and speed to effectively feed response tools the information required to stop incidents without accidentally disrupting business actions that are safe but slightly abnormal.
Depth of Optics
One of the most critical factors in detection is having a depth of visibility across the entire attack surface. It allows organizations to tie together events that, when viewed independently, may appear entirely safe but, when viewed together, indicate an attack. It will enable organizations to see the full scope of an incident, know how deeply affected they may be, and track the mitigation progress.
Having a depth of visibility is not only about having the right technology in place but also about having the right people, process and culture to gather and analyze the data from the different sources to have the most accurate understanding of the organization’s security posture.
Accuracy for visibility is not just about determining when an action is part of an incident but also when it is not. Identifying incidents when there are none is a false-positive and can initiate response actions against benign behavior. This can interrupt normal business operations and annoy staff, creating additional friction in accomplishing their work. Excessive amounts of false positives can lead to staff ignoring alerts assuming they are just common noise, allowing truly malicious actions to go unnoticed.
Alternatively, systems must be sensitive enough that truly malicious actions do not go without alerts, creating a false negative. When these actions are not detected, attacks go undetected, allowing cybercriminals and malware to embed deeply throughout the infrastructure.
Managing accuracy is a balancing act requiring the right set of technologies and regular testing, tuning, and monitoring to ensure that false positives and negatives are minimized to deliver high-quality results.
No matter the depth of visibility or accuracy, it is all for naught if the information is not conveyed promptly. To respond to incidents in a timely manner, dangerous behavior needs to be detected and communicated rapidly. The longer it takes for information gathering and processing, the more time attackers have to continue their work, increasing the overall impact of an incident.
Speed is also crucial for maintaining compliance. Regulations such as GDPR, HIPAA, and PCI require organizations to demonstrate that they can quickly detect and respond to incidents. These regulations have strict timeframes for reporting incidents and notifying affected parties. Failure to meet these timelines can result in penalties.
The Right Solutions To Defend Your Data
Creating a robust cybersecurity posture requires more than just meeting the Detect capabilities. It requires functions that meet the entire NIST cybersecurity framework. Sotero is an advanced data security platform that helps your organization create a holistic data security program across all of the NIST pillars. Sotero has visibility into sensitive data stores across internal and external locations, generating alerts for anomalous behavior such as internal threats, external attackers, and ransomware, helping to stop threats early on before they can cause significant damage.
Read our white paper to learn more about the NIST Cybersecurity Framework and how Sotero can help your organization meet every phase to create a whole data protection lifecycle.
Contact Sotero today for a demo on how the Sotero Data Security Platform can help your organization get and maintain complete data security coverage across all five NIST lifecycle stages.