The Breach Detection Stack

The InfoSec Consulting Series #9

By Jay Pope


In last week’s article I discussed how to review the organisation’s Protective Monitoring capability by starting with the ‘Cyber Hierarchy of Needs Model’.  This week, I want to build on the principles discussed in the Hierarchy of Needs Model, by taking a closer look at the Breach Detection Stack.

Building & Maintaining a Coherent Pillars of Breach Detection

Recent years have seen rising numbers of cyber-attacks, with both 2017 and 2018, breaking records for numbers of attacks and – more worryingly – the numbers of records compromised. When a data breach makes the headlines, it isn’t just an IT problem, it damages the reputation of the business and can lead to legal and other problems.

It’s now widely accepted by most security industry professionals that cyber-attacks are a matter of when rather than if and that no business is immune. But that doesn’t mean that cyber security can stand still. Many companies still rely on systems that focus on protecting the perimeter, but this is an increasingly outmoded approach as serious thought needs to be given to what happens when breaches occur.

The Breach Detection Stack


Evolving Techniques

Preventing breaches is increasingly difficult, so there’s renewed interest in breach detection technology that identifies breaches after they occur and aims to minimise the impact and fix the problem. This relies on a mixture of analysis and intelligence.

In the past, attackers have tended to use a rather scattergun approach to getting into systems. They could send out numerous attacks knowing that they would be able to find some targets that had out of date security not updated with the latest signatures, that would allow an attack to succeed.

But as protection software has improved, cyber criminals have refined their attack methods too. Attacks are more carefully planned and often employ ‘zero day’ techniques to evade signature-based detection systems, or social engineering to exploit human weaknesses. While there are tools aimed at preventing this kind of attack, cybercriminals continue to find their way around them so there’s the need for further lines of defence.

Of course, enterprises are changing too, with increased demand for workers to use BYOD devices including smartphones and tablets and with more and more Organisations committing to ‘Cloud First’ IT Transformation strategies. This means that the perimeter of the company network is increasingly blurred, with devices that connect from different locations and which may even be off the network for long periods of time. It’s no surprise, therefore, that traditional firewall and anti-malware solutions are struggling to keep pace with the changes.

The greatest damage, however, comes not from the initial breach, but from what the cybercriminals do once they’ve successfully gained access to the system. This is why breach detection after the event is so important. Once they’ve obtained access, cybercriminals can study the network, gain a stronger foothold and extract more sensitive data.

Increasingly, bots will be used to carry out the initial assessments and create user accounts, allowing human cybercriminals to follow up and copy sensitive data from servers. Even if the attack is detected, it often happens by accident. In no small part this is because security teams can become overwhelmed by the volume of alerts generated by traditional security tools, meaning that they are more likely to overlook something important.

Failure to detect the breach, of course, means that attacks become even more destructive. The US retail chain Target, for example, failed to detect a breach that led to 40 million credit card numbers being compromised, only becoming aware of it when alerted by the government.


Why Breach Detection?

So, what are the advantages of turning to breach detection? Firstly, it offers an additional line of defence rather than focusing on keeping cybercriminals out. Attacks can still happen but can be spotted quickly, reducing the opportunity for attackers to do damage. This is also important in the light of GDPR where companies have a limited time to notify regulators of a breach.

We’ve already pointed to the high volume of alerts that security teams face. This is compounded by the fact that these are generated from log files at the perimeter. Breach detection helps to solve this issue by making use of big data analysis techniques. Tools look at not just the data generated from in-house security tools and their logs, but also at the wider range of cyber intelligence available to identify attack patterns used elsewhere.

Any attack inevitably leaves a trail, however hard the cybercriminals may attempt to cover their tracks. For example, they generate connections to command and control servers, or navigate the internal network in unusual ways. They may try to access resources with inappropriate credentials; trying to access sales accounts with a manufacturing login for example.

Breach detection systems can detect all of these behaviours and combine this with intelligence about how the cybercriminals operate, to piece together the anatomy of a breach. This allows defenders to cut through the mass of alerts and come up with a short list of security alerts that require action.


Layers of Security

Keeping systems secure in the complex modern environment requires three levels of operation. Prevention, detection and response. These three tiers inevitably overlap because none of them in isolation will guard an organisation against malicious cyber activity. With different systems in use, there may well be a range of security systems too in order to protect servers, desktops, mobile devices and more. For security teams, of course, all of this means more complexity, especially if these layers come from different providers. This, in turn, raises the possibility of breaches or attacks falling into the gaps and being missed. And as we’ve already seen, the volume of alert data generated can be overwhelming


Tooling Selection

To deal with current trend of information security and sophisticated cyber threat we need the most efficient and best suited breach detection stack for our infrastructure as well as applications. As the Security Operations Centre deals with people, process and technology;  SecOps Teams and their Security Architects need to choose breach detection tooling carefully. The cyber technology market is vast, with vendors making some big claims with their marketing. CISOs and those responsible for cyber budgets need to be cautious in product/service selection. A technical evaluation of some candidate tooling architectures is a worthwhile exercise that will improve the chances of developing a coherent breach detection stack, and when documented will also provide a compelling security proposition that should support a business case. The following parameters can be considered for use in a technical evaluation of your shortlisted product options:

  1. Capability in dealing with Asset Inventory. Does the solution provide an asset inventory database? Is it feasible to extend the database schema to support additional fields, such as asset classification? If not, can the technology integrate with existing asset management solution/repositories/CMDB?
  2. Coverage capability. Do the tools provide coverage in heterogeneous environments? Does your proposed breach detection stack provide L1-L8 threat Coverage?
  3. Support for Cloud. Does the organisation need to scan cloud services, such as software as a service or infrastructure as a service? Have related service provider obligations included in contracts and SLAs?
  4. Scalability. You will need clarity on capability of tools to handle multiple infrastructure devices, applications etc;
  5. Ease of Operation. Tools that are difficult to navigate or that presents confusing dashboard information won’t be used, at least not to its fullest potential. A tool that requires regular maintenance also becomes a problem for staff that’s often already overburdened;
  6. Dealing with false positives & severity. Most of the automated tool flag false positives as some vulnerabilities might not be relevant to organisations or one need to edit the severity of vulnerabilities as well. Does the tool possess capability to deal with false positives and severity customisation?
  7. Do the tools support orchestration, and prioritisation? CISOs must focus on prioritising, and this is where breach detection stacks can help by ensuring that the most important alerts are the ones that get escalated to human analysts for action. This means that action is taken faster, and any potential loss of information is limited;
  8. Integration capability. What is the feasibility of the tool integration into existing patch management, configuration management, intrusion detection, and/or monitoring tools and services?
  9. Dealing with Zero-day vulnerabilities. Do your vulnerability management tools possess the capability to deal with Zero-day vulnerability? Is Predictive analysis of the threat in your environment possible without the need to perform new scanning?
  10. Reporting. Is the reporting detailed and customisable? Can we generate trend report? What are the report types? Is the output format of report reusable on other tools?
  11. Remediation Policy enforcement. Where relevant, does the product provide the capability to designate the selected remediation at varying enforcement levels, from mandatory (required) to forbidden (acceptable risk), via a centralised policy-driven interface?
  12. Technical Support. Look for vendors that offer 24/7 support, preferably by phone, and find out if customers can expect an immediate response;
  13. Pricing and licensing. Many tools provide different category of licensing. The licencing must always be cost-effective.


Cyber-attacks are not going to go away, and security teams need to be equipped to deal with the growing level of threat. This requires a strategy that goes beyond just trying to keep cybercriminals out and ensures that when a breach does occur, it can be controlled, and an appropriate response put in place quickly to report the breach and remediate the damage.


Does Your Organisation Need Top Cyber Security Consultants?

We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.