Author: Thorsten Kuhles
According to study results, it can take up to 9 months by average before a security incident is detected. That is precious time in which it would be possible to avert or limit damage. Find out about the approaches available to detect attacks at an early stage and avoid the resulting high follow-up costs.
Study results on the detection of illegal activities of attackers in the corporate network are alarming. In 2021, security experts determined that on average 260 days go by during which criminals can exploit unhindered access to a network in order to spy on the structures, steal passwords, and ultimately carry out an attack.
Cybercrime remains one of the biggest threats to businesses
A look at the Cost of Cybercrime study conducted by the Ponemon Institute shows how long it takes companies on average to completely eliminate the effects of various cyberattacks. Recovery is fastest for malware attacks at around 6.4 days, and for botnets at around 2.5 days. Ransomware takes an average of 23.1 days, while malicious code attacks can take as many as 55.2 days. Extortion Trojans in particular are very popular with attackers and trends such as Ransomware as a Service (RaaS) must be taken seriously by companies in every industry today.
With each passing day in which an attack goes undetected or the longer it takes to eliminate the effects, the costs for a company that has been impacted by an attack increase to an unforeseeable extent. According to Bitkom, the damage to the German economy in 2020/2021 amounted to approximately 225 billion euros. Unfortunately, these cost explosions are also promoted owing to the fact that companies continue to invest too little in proactive measures, such as Cyber Threat Intelligence (CTI) or self-initiated vulnerability tests (penetration tests). The threats are steadily increasing due to the more sophisticated attack techniques and simple applications, even for “inexperienced” hackers. The central challenge in defending against attacks is therefore the early detection of activities in the network.
Active prevention instead of damage repair
The best approach is to apply a combination of several preventive approaches in a company. The first step is to ensure that the latest attack methods are known and understood. Only then can a company take the proactive countermeasures that are appropriate for its own systems. It is also advisable to observe and evaluate the processes in one’s own network by suitable means in order then to initiate the next steps with internal or external experts, e.g. from a Cyber Security Incident Response Team (CSIRT). This requires early planning and the implementation of a company-wide incident response policy, which should be in line with international standards such as ISO 27001.
Employees are the first line of defense
However, the involvement of all employees of a company is also essential for early detection. Awareness campaigns can raise awareness of the threats of a cyberattack and involve all employees in the process of increasing a company’s IT security. After all, if everyone is aware that they are the first line of defence against a cyberattack, potential attackers will have fewer chances to succeed, for example, by means of phishing emails.
Security Operations Center for all company sizes
Large companies implement their own Security Operations Centres (SOCs) which are tasked exclusively with monitoring network activities around the clock. For small and medium-sized enterprises, a SOC is far too high a financial outlay. Nevertheless, there are feasible options where an external service provider can take over the monitoring and evaluation of internal information. These functions are precisely what the SOC service of RADAR and Materna provides. With its deployed solution, the SOC monitors logs from operating systems, servers, databases, routers and other systems in the network. If the system finds any conspicuous actions, the SOC team from the RADAR Cyber Defense Center immediately informs the Materna CSIRT, which then initiates an immediate response together with the company, depending on the agreement. This service can, for example, minimise data encryption threatened by a successful ransomware attack.
Thus, there is a potential opportunity to reduce the detection time of unauthorised activity on the organizational network from an average of over 260 days to seconds or minutes. The current situation shows that the key to success lies in proactive measures, such as vulnerability tests independent of events, or trend detection. But the increased investment in employee involvement also makes a critical contribution to increasing a company’s security level. The motto “The first line of defence is you” should not only be mentioned on a poster somewhere, but should also be embedded at all levels of the company.