Should incident response strategies be more focused on zero-day or the everyday? The debate rages.
Certainly the scale of zero-day security threats is enormous: one business is breached every 14 seconds, the cost of WannaCry was $4bn+, and Lloyds estimate the next big global cyberattack will spur $53bn in losses.
The arguments for the everyday are equally compelling. 99% of vulnerabilities are well known, (zero-day has made up only 0.4% of vulnerabilities in the last decade).
I think it’s a non-debate. The real focus for a more effective incident response strategy is the yesterday. Why? Because the incidents we should be most responsive to are the ones that have already happened, the ones that are a ticking time bomb and cost organizations millions.
The statistics make sobering reading: the average detection time of a major attack ranges from 100 to 200 days. Containment time can extend this further, from 20+ days for ransomware or phishing to 50+ days for malicious insiders or malicious code. And that’s just a small data breach, a mega breach can take a year to detect and contain.
Then there’s the cost which can range from a few millions to the hundreds of millions. The latest research suggests that the faster an incident is responded to, the less it will cost, by a factor of $millions.
It’s no surprise Gartner is forecasting that by 2020, 60% of information security budgets will be focused on faster incident response: reducing the time to detect and accelerate recovery and remediation of a breach.
Where will they be spent? I would make the case for the next generation of full network packet capture tools, with one of the industry leading solutions being SentryWire.
Why?
Total network history
When organizations have 100% network history, rapid and accurate detection of breaches can happen. Network sniffing and metadata give a partial picture, but capturing and storing all network IP packets, even the busiest network traffic, with the best lossless capture rates gives the full one. These high-fidelity traffic records are logged and stored, making detection easier and faster.
Extended packet capture timeline
To make detection realistic the network history must go back 140 days+ from the discovery of a breach. Most organizations store 4 days, which means no visibility of when the breach occurred. New full network packet capture tools can now store petabytes of data on premise, making 100s of days of data constantly available for search.
Powerful and fast search
Detection and remediation speeds of these massive data stores is fast. Now petabytes of network traffic can be searched in minutes, smarter logging further accelerates discovery, as does on premise storage.
Lower cost data storage
100% network history extended over months even years and searchable in minutes, sounds costly. It isn’t. Full network packet capture tools can now store petabytes of data at up to 80% less than other solutions.
So, if you’re one of the 77% of organizations that don’t have a clear incident response plan, start by looking to the past and don’t look beyond network packet capture, or you could well be history. Where do you start? You wouldn’t go far wrong by having a look at one of the new generation of full network packet capture tools like SentryWire.
