Detection and response as a key part of your cybersecurity resilience strategy

Cyber resilience is one of the most frequently heard terms within the industry today.  It’s on the lips of every exec who has any consideration of security as part of their role; it has a ubiquitous presence across the marketing material of every vendor in the cyber security market; and virtually all cyber security practitioners are trying to answer one key question: how do I help my organisation become more cyber resilient? 

However the challenges facing businesses is not only increasing in complexity, it is gathering pace. Business ecosystems are continuing to expand with more and more stakeholders now having legitimate reasons to access applications; threat velocity is increasing, powered in part by threat actors utilising AI.

For both government and the private sector, Cyber Risk ranks as the third highest risk facing them over the short term. And in the face of this increasing challenge, organisations are not improving their ability to respond effectively to breaches. Data has shown a relatively stable dwell time over the last five years, with a variance of only a handful of days in how long it takes organisations to identify and then contain a breach. The more alarming element of this is that as of 2023 the average time taken to identify a breach stands at around 200 days, and it then takes an average of 73 days for organisations to contain that breach. 

The reality, of course, is that there are many different facets to achieving cyber resilience. No one tool, process or capability will deliver it in its entirety. There are some overarching concepts however which do help organisations take larger steps towards achieving the aim of cyber resilience. The ability to identify, analyse, investigate, and ultimately respond to cyber security incidents taking place within an organisations IT systems, is becoming more and more fundamental, not only as part of the drive to secure themselves, but also increasingly as a part of maintaining compliance with new and emerging regulations such as NIS2. 

At its core, unless you can see, understand and react to the things happening within your environments then maintaining any level of cyber resilience becomes increasingly difficult, this is shown in alarming clarity in the finding that only 33 per cent of breaches are actually detected by the organisations’ internal security teams or tools. 

Dealing with the issue

All of this leads to the natural conclusion that better detection and response capabilities are needed in order to help organisations deal more effectively with the incidents which take place within their environments, before they become breaches which have multiple impacts across the business. 

The detection and response market is a complex space. There are Endpoint Detection and Response (EDR) solutions, these focus on the endpoint, which is fundamentally where the majority of attacks start, if not finish in the case of ransomware attacks.  The alternate approach is Network Detection and Response solutions (NDR), these focus on traffic flows within the network and identify malicious and anomalous behaviours. Each of these solution types will bring their own response capabilities including orchestration of activities, automation to enable a faster time to resolution, and a reporting and dashboarding interface which aims to deliver the information that Security Operations Centre (SOC) analysts need in a nice clear and efficient way. 

Cisco has taken a different approach, we believe that to deliver a truly comprehensive detection and response capability, you must bring together the endpoint aspect, and also the network aspect. As well as considering the other key vectors involved in large proportions of attacks, namely e-mail and web. Cisco brings these together in our eXtended Detection and Response (XDR) platform which delivers near real time telemetry from across the broader spectrum of the IT environment. 

Cisco has a unique position in this space to help our customers and it lies in our ability to leverage the massively deployed Cisco networking estates which exist within many IT Ecosystems. Natively drawing on this network brings to bear a volume of data points which many other detection and response solutions simply can’t. 

This, combined with native integrations with other major cyber security vendors in the market, and the ability to trigger incidents from third party sources, deliver a comprehensive detection and response solution with an unrivalled security efficacy. To reduce the complexity in bringing together our tools, telemetry and data, XDR is augmented by an AI assistant which helps to boost the capability of tier 1 SOC analysts and helps to drive shorter identification, investigation and remediation cycles. 

Bringing it back to Resilience

But how does all this capability help with maintaining cyber security resilience? Most definitions of cyber security resilience make reference to the ability to withstand and recover quickly and effectively when an incident takes place within the environment. Cisco adds the addition of the aim to emerge stronger than before the incident took place; i.e. to learn from the process and ensure that the organisation is that little bit better prepared for the next time an incident occurs. 

This process of developing resilience has several aspects, including things such as understanding your environments, understanding the threats that face your organisation and having a coherent defence strategy.  However fundamentally all resilience efforts must include a capability to identify, investigate and respond to incident when they occur.  That’s where Cisco XDR fits into the picture. 

In alignment with the incident management cycle from NIST, Cisco XDR directly helps with the three core elements of handling incidents.

Detection and Analysis

Drawing on the telemetry drawn from both native Cisco technologies, but also third party technologies and being able to trigger incidents from non-native telemetry gives the SOC a massive advantage when it comes to identifying the initial phases of incidents and most importantly utilising the risk based approach and contextual reasoning to help guide the SOC analyst to those aspects of incidents which are most important, helping to reduce analyst alert fatigue. Cisco XDR also has native integration with Cisco Talos threat intelligence, one of the largest and most powerful commercial threat intelligence organisations in the world.  Cisco XDR also automatically aligns observed behaviours with the MITRE ATT&CK framework. 

Containment

Once an incident has been identified, containment is perhaps the most important step in order to maintaining the organisations resilience.  Preventing further spread and damage and reducing the immediate impact of the incident are high priority activities for the SOC team.  Orchestration and automation of containment and response activities with prebuilt playbooks and integration into the broader IT ecosystem are critical to ensuring a rapid containment of the incident.

Eradication & Recovery

Recovery is sometimes one of the less considered aspects of incident management, once the services have been restored the focus tends to shift back to business as usual.  However for the SOC analyst this is a critical time to review what happened and, particularly relevant to the broader concept of resilience, to learn from it in order to ensure the organisation is stronger for the future.  This is where being able to pull together telemetry from across the IT/OT Ecosystem and understand the bigger picture is vital.  Cisco XDR can deliver per incident review capabilities to help guide the SOC team through the detail of an incident once the furore has died down. 

Summary

Cyber Security Resilience is one of the most important activities organisations today are trying to understand and improve.  Having a strong and effective detection and response capability are foundational to helping achieve this.  Cisco XDR offers a great way to leverage existing investments in networking and security infrastructures to boost an organisations ability to take a big step towards security resilience. 

Rob Lay is leader, Systems Engineering at Cisco Security. This article was sponsored by Cisco.