Pulling the Right Data From the Right Tools Allows You to Validate a Detection and Respond Effectively
The Data Breach Investigations Report (DBIR) from Verizon has evolved significantly since it was first published. But one thing that hasn’t changed over the last dozen years is the consistent finding that security professionals have the tools to detect many of the breaches they face. In fact, the very first report back in 2008 found that 87% of the breaches were considered avoidable through reasonable controls. The indicators exist in logs in various security technologies. The challenge is that they’re hard to see because logs are cluttered, and most security departments don’t have enough people to sift through them and make sense of the data.
Fast forward to the 2020 DBIR and approximately two-thirds of breaches are being detected in days or less. So, the good news is that we’re becoming more effective at using these tools to detect breaches. But what about the other third? And of the two-thirds detected, did we detect the entire scope of the attack, or were certain indicators missed and is the adversary still lurking, waiting to re-emerge later?
The definition of detection is very relevant as extended detection and response (XDR) solutions become the next hot topic in the security industry. Because how we define detection will drive the outcome of XDR and, ultimately, the other key component – response.