Accurate and Reliable Threat Detection for Your Security Program

It’s 11:59PM on a Sunday evening, and your phone starts alerting you to a new threat that is being actively exploited.  You can easily anticipate that the next message you will receive is from someone in your C-suite, asking the obvious question, “Are we protected against this?”

As security practitioners, we have all been there. What a way to start the week!

Of course, we need to tailor our response to any senior executive, first with the alarming realization that no product is 100% effective, and then temper it with comforting words that the product that protects the organization is indeed capable of detecting new threats. But, is this the truth?

Think about the decisions that went into purchasing your security product.  Was it from a reliable and trustworthy vendor, or was it just the less-expensive choice that satisfied some of the security and compliance criteria?  This is not a comfortable position to be in during an emergency.

Accurate Threat Detection – Reliability Vs. Liability

Accurate threat detection is a difficult subject. How do you know that your product is working effectively? Does the quantity of detections supersede the quality?

When we think of how to answer these questions, especially to a senior executive who is responsible for the safety of the company, the answer will not be based on technical data; in this case, reliability will be the determining factor. Remember, in recent years, corporate executives can no longer languish in the field of “plausible deniability” about security.  Recent regulations have also removed many of the corporate-based insulating protections, leaving an executive open to personal liability for data breaches.  In short, there is a reason that your C-suite has become hyper-aware of cybersecurity events.

The landscape of the detection capabilities is evolving, and that is really key to producing high fidelity detections, rather than relying solely on atomic indicators and legacy methods. Although these older methods may be cost effective, they produce less-than-stellar results, and are often easily evaded by threat actors.

In some instances, an organization may think that using a large number of threat feeds will give superior results, but this is not necessarily true.  It is easy to realize that quantity does not imply quality.  Most threat feeds duplicate data, so seeing more of the same thing is not going to ensure accuracy, or reliability.

To get back to our example of the 11:59PM alerts, how to you convince your C-Suite that you are indeed protected against these new threats? Humorously, you could point them to Cisco’s Security Outcomes Study, but they may not find much humor in that during a time of crisis.  However, now may be a good time for you to digest the insights in the study, before that near-midnight phone alert.

Key Findings From the Security Outcomes Study

The Security Outcomes Study interviewed 4,800 people to find out their views on questions regarding their security posture.  The overall disposition of the study shows the importance of reliability on the key indicators for success.

While it would be nice to state that most organizations are well-equipped in their ability to accurately track incidents, giving comfort to a nervous group of executives, the responses tell a more sobering tale. More than one-third of the respondents were less likely to agree that their organization follows the practice of accurate threat detection.

Of course, one could posit that this leaves a large area of interpretation as to how many of the interviewees ran the spectrum from “somewhat likely to agree”, all the way to “very likely to agree”.  If that other two-third of respondents are using accurate threat detection, then that is a fantastic indicator.  However, from the perspective of an attacker, this opens up a field of many targets who are not using accurate threat detection.  While optimism is an admirable trait, our job as security practitioners dictates that we must always think like the attacker.

Also, to quote directly from the report:

Cisco Secure – Helping Executives Get the Sleep They Need

At Cisco Secure our mission is to develop, acquire and integrate a security portfolio that simplifies operations, accelerates team success, and positions organizations to secure their future. With our comprehensive portfolio and the threat intelligence provided by Talos, we deliver improved efficacy and improve alert fidelity.

With the Cisco SecureX, you can work with a fully integrated ecosystem, enable intelligence sharing and coordinated response. With our platform approach, you can transform your infrastructure from a series of disjointed solutions into a fully integrated ecosystem that gives you a unify visibility into threats, maximize operational efficiency, and allow you to reduce your mean time to detect.

Before all the fancy flashing lights and trend lines on your security dashboard start to indicate the “strong possibility of a definite maybe” of a potential threat, you want to know that the product is buoyed by the expertise and experience of a trusted leader in the security industry. This is one way that you can let your executives get the sleep they need.

Author Eric Hulse is senior reverse engineer, advanced threat solutions, at Cisco Systems. Read more guest blogs from Cisco here.