CyberForce|Q
Mar 20, 20233 min
Updated: Apr 5, 2023
How well does your organization detect and monitor potential cyber threats? Malicious actors are constantly developing new forms of attack, so you must validate the extent of your detection and monitoring to ensure you are truly defending against cyber-attacks.
To help assess your cybersecurity program, ask the following questions to better understand your detection and monitoring capabilities.
24x7 monitoring is critical as threat actors target organizations at all times and especially after working hours, during weekends, and holidays. Threat actors know that organizations often do not monitor during these times. It only takes minutes to fully compromise an organization and exfiltrate data, and with hours of unmonitored time, the risk of a breach increases.
It is important to ask your IT Department what type of threats you are detecting and responding to. A lot of focus in organizations tends to be on system health and uptime. It is usually not their priority to understand potential threats and develop up-to-date detection capabilities. At a minimum, you should be monitoring phishing reports, endpoint detection, anomalous user behavior & login activity, anomalous network & perimeter activity, and internal and external scanning.
Phishing is the number one method for threat actors to compromise an organization. All organizations should have a system in place for users to report phishing emails and a response team should be ready to act on verified phishing threats, in near real time.
It is important to have clear accountability for investigating cyber threats. Cyber monitoring and investigation should be handled by certified trained individuals who prioritize reducing cyber risk. For IT professionals, availability of systems is usually the priority, which means security monitoring tends to take a back seat.
Responding to cyber threats is a race against time. All threat monitoring providers should provide metrics that indicate how long it takes to investigate detected threats. The longer it takes to investigate threats, the higher the risk of critical compromise.
Cyber alerts can get to extremely high volumes. Overwhelmed IT teams report that conflicting priorities often lead to missed and ignored alerts. To avoid a security breach, it is important that all alerts get investigated in real time to identify risk and reduce false positives.
To successfully combat threat actors, organizations should have an incident response plan with clear escalation and notification procedures. If monitoring is outsourced, vendors should have clear escalation and reporting SLAs to ensure that identified risk are responded to appropriately.
When an incident does occur, organizations often struggle with what to do and who is in charge. It is important to know the extent of what your IT provider will handle and what responsibilities fall on your team. The incident response plan should document clear roles and processes so that the organization is able to respond quickly and efficiently.
Security vendors should provide reporting to ensure that all alerts are responded to and investigated in a timely manner. Vendors should be held accountable to provide insight and transparency to investigation volume, response time, handling time, and outcomes.
For organizations that choose to outsource IT, it is important that vendors are working within the framework of security best practices. IT vendors should be able to provide answers to what security framework their people, process, and technology aligns to.