Threat Detection, Investigation & Response

The increasing complexity of technology and its effective operation can take several dimensions. This is best reflected in the unified security systems and processes that integrate together to collect, analyse and correlate information, to detect attacks and support the response.

The expanded use of cloud-based systems or platforms, including SaaS applications, means the hybrid nature of modern businesses is complex. Staff working from anywhere has made traditional challenges like user provisioning, system patching, and asset management ever more difficult to manage.

Meanwhile, the actions of adversaries have become more sophisticated too. Better organised, and more commercially focussed – no longer the mindless or opportunist attacks and vandalism of the past. Attackers are well funded, resourceful and highly skilled. Often even operating as part of a broader value chain or ecosystem.

This means security teams need to address a rapidly evolving threat landscape that features:

• Growing levels of offensive reconnaissance;
• Increasingly sophisticated attack techniques;
• With the resulting detection systems alerts, requiring greater levels of investigation;
• A need for wider visibility of security incidents spanning multiple systems and organisations; and
• The growing investigation and response overhead with resources and skills already struggling to cope with normal operations.

Effective threat detection, investigation, and response tools are essential to protect organisations from external attack and internal abuse. The earlier in the attack life-cycle that a cyber-incident can be detected and addressed, in the initial reconnaissance phase for example, the less the likelihood of any significant disruption to operations.

Actions to thwart attacks, limit their impact or initiate a response require integrated technical solutions, effective detection techniques and rules. The alternative is, of course, to identify an attack after the fact – when a data theft becomes evident from user reports or regulatory contact.

Minimising the risk from attack means:

• Having the ability to monitor networks, applications, security controls and user activity for threats.
• Automated identification and swift response processes to security alerts.
• Sufficient sensitivity to limit the risk of a data breach going undetected.
• Protecting critical systems, processes, sensitive information and intellectual property.
• Maintaining business continuity, operational cyber resilience and stakeholder trust.
• Ensuring compliance with regulatory and legal mandates.

Threat Detection, Investigation, and Response (TDIR) solutions, such as the Huntsman SIEM, provide the capability to detect, analyse, and respond to security threats in a timely and effective way.

The benefits of an effective TDIR solution, such as the Huntsman Enterprise SIEM, include:

1. Advanced automated analytics and machine learning algorithms that identify potential security threats in real-time, enabling faster and more accurate detection and response.
2. High speed telemetry from a range of data sources to maximise situational awareness and distil actionable intelligence about suspicious incidents.
3. Comprehensive incident management capabilities support thorough stakeholder investigation to identify root cause and collate evidence for remediation and reporting.
4. Automated workflows to rapidly mitigate threats and minimise any resulting cost and impact on operations.
5. Rapid quarantining infected or affected systems, blocking “known bad” IP addresses and compromised workstations.
6. Collaboration and coordinating across security teams to share information, streamlining workflows and coordinating response to incidents.

One of the vital links to the TDIR process is the ability to enrich alert data with known threat exposure information; and to simply ingest evidence of suspicious or attack actions into continuous threat exposure management (CTEM) activities. This can help both the understanding and prioritisation of threats that are detected; and the management of risky exposures before they can be exploited.

There is a two-way link between a TDIR solution, such as a SIEM, and CTEM technology that uses automatic data driven analyses to quantitatively measure the effectiveness of key cybersecurity controls that are protecting the key IT systems and assets of an organisation. The higher the overall effectiveness of those controls the better the security posture of the organisation.

Using detected configuration weaknesses or missing patches, could allow the detection system to raise an alert as a higher priority than it would otherwise be the case, as a result of confirming vulnerability information. Likewise, a system or user that has fallen under suspicion through the detection of a potential attack, might need their configuration urgently verified to gauge the extent of vulnerability.

This internal threat information is akin to external threat intelligence which is widely recognised as a highly useful lead indicator of risk. Linking internally-sourced CTEM information with TDIR activities provides highly relevant preventative threat intelligence for both processes directly guiding analysts to priority incidents for faster and more effective response.

The goal, for both the business leadership and the security team, is to improve cyber resilience and protect the IT systems, assets and data that contribute to the ongoing operation of the organisation. Increasingly, legislators are demanding it.

For some Critical Infrastructure sectors cyber resilience is the cornerstone of the wider regulatory requirement. For Operational Resilience (sometimes called Operational Risk Management) it is being mandated in various jurisdiction like the Digital Operational Resilience Act (DORA) in the EU; and the Financial Conduct Authority’s (FCA) PS21/3 regulations in the UK. There have also been similarly onerous cybersecurity disclosure obligations being sought – in the US by the U.S. Securities and Exchange Commission (SEC). In Australia too, the Security of Critical Infrastructure Act 2018 (SOCI) stipulates increasingly granular mandatory Risk Management Program reporting for priority CI providers.

Organisational resilience more broadly is becoming a fundamental tenet of corporate governance and continuous disclosure. In essence, the measure of the ability of an organisation to continue to conduct operations even in the event of disruption to key components of product or services value chain is becoming an operational responsibility. Cybersecurity leaders are now expected to contribute to the greater degree of organisational resilience where the resilience of systems, processes, people and 3rd party inputs into the delivery of a product or service are required to be managed.

Cyber resilience and broader organisational resilience are now firmly part of directors’ responsibilities, and while delegation is acceptable, oversight evidence of the effectiveness of controls, lessons learned and an objective assessment of the success of operational resilience efforts are a Boards responsibility and must be available and demonstrable.