When I talk to many prospective clients, the conversation starts out almost completely focused on preventing cyber attacks. There's nothing wrong with that, it's the way we "did" cybersecurity for decades. We put in more and more preventative measures, we built the castle walls higher, we installed more tools.
Unfortunately, this also made it harder for people to work. We installed so many security tools on the users' workstations that they needed the power of a supercomputer to open a spreadsheet. We demanded users jump through endless hoops to get work done. We did well at preventing authorized users from accessing their own systems but the attackers always found a way.
Many years ago, I spent an entire day trying to change a password to an Air Force computer system. The complexity requirements were so convoluted that nothing would work. No guidance was provided on what those complexity requirements were, either. So I banged away at a keyboard for the better part of 8 hours trying to change a password to a system I needed for work. All this in the name of prevention because there was no visibility into the actual system activity.
There's nothing wrong with building preventative measures into our security programs, there are plenty of preventative security controls that are painless to implement and almost transparent to end users. These are the easy kills in the preventative world. However, you must balance those with detection and response measures.
Unfortunately, we've generally ignored the detection, or visibility, controls as they are a bit of work to implement and manage over time. However, these detection measures can mean the difference between a minor account takeover (ATO) and a successful multi-million dollar ransomware breach.
Funny story, a few years ago we had two similar clients, one with our full security suite and one without. Both had an Office 365 account taken over at about the same time. In the one with our full security suite, we detected the attacker and kicked them out withing about 5-10 minutes. In the client without our full security suite, we had no visibility and couldn't see anything.
They called us up about 4 months later asking why something odd was happening when they sent emails internally. We dug back through logs and found out that one of their accounts had been taken over. Lucky for them, the attacker decided it wasn't a valuable enough account or business to take any further action.
Would you rather rely on skill or luck when it comes to your business?
For our clients, the detection and visibility controls typically include daily monitoring of activity on key systems (e.g., cloud-based email, local and cloud servers, workstations, and other critical business applications) and regular scanning for vulnerabilities. These two programs give us enough visibility to detect when something suspicious or malicious is happening and find the security holes before the attackers do.
Accounts get taken over. Malware gets downloaded. Visibility is the difference between catching it within minutes or after a catastrophic event. Which one would you rather have?
How much visibility do you have into your infrastructure? None? You can continue to hope and pray daily or you can give us a call and fix the problem.
Reference:
www.securityweek.com/you-cant-defend-what-you-cant-see-why-visibility-critical-improving-cyber-defense
www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure
newsroom.baretzky.net/2024/12/26/understanding-siem-and-cyber-visibility-in-cyber-risk-management
