The accelerated digital transformation and increasingly brutal, targeted cyberattacks are making it a real challenge to protect your organization. In this article we explain why it is best to complement a SIEM with NDR and EDR to reduce the impact of cyber threats.
Accelerated digital transformation
The digital transformation is rapidly changing the traditional IT landscape in many organizations. These organizations are looking for ways to run their business more efficiently, for new opportunities and even for new business models.
The pandemic and the ensuing lockdowns in 2020 have accelerated this digitization process even further. Many more organizations have now implemented telework at a structural level. This gives cybercriminals plenty of new opportunities, since employees' computers and mobile devices are often less secure at home than inside the company perimeter. In Blackberry's annual Threat Report, no less than one-fifth of the organizations surveyed cited homeworkers as a cause of security issues.
Endpoints are the new perimeter
All this means that securing the corporate network has become more challenging than ever. There is no longer a clear perimeter separating the internal corporate network from the outside world, such as a corporate firewall protecting all devices in the office. The endpoints (i.e. employee’s computers and mobile devices) have become the new perimeter.
Even after the pandemic, many organizations are likely to continue to make more use of telework and other forms of decentralized working. The days when you could simply place a firewall around your entire organization are definitely over.
In addition to the IT landscape, the threats themselves are also evolving faster. Today's cybercriminals have become more professional in two ways:
- They have acquired more advanced technical skills, and have higher budgets for state-of-the-art large-scale attacks. The Hafnium attacks on the Microsoft Exchange servers are a good example
- They are also more motivated and focused, carrying out well-prepared and targeted attacks. While phishers used to cast a wide net, they now focus on CEO fraud and ransomware
Today's attacks are therefore more sophisticated and targeted than in the past. If your organization is targeted by cybercriminals, the threat is real.
Detect and respond
An important weapon in the fight against cybercrime is early detection of security incidents. This is the basis for a sound security policy. Without it, a computer intrusion can remain under the radar for months. This gives cybercriminals the time they need to systematically breach your infrastructure and do even more damage.
The longer it takes to detect or respond to a security incident, the greater the operational impact will be. This can have far-reaching consequences, ranging from intellectual property theft to lost revenue due to the interruption of production processes, to damage to your reputation.
Security Operations Centres (SOCs)
The changing IT landscape and these evolving threats require a shift in mentality: you need to assume that somebody is trying to hack you at all times, and adjust your behaviour accordingly. Organizations must always be alert to possible security incidents.
A first step in detecting and responding to security incidents in a timely manner is to establish or outsource a Security Operations Centre (SOC), which monitors your organization for potential cyber security incidents. A SOC consists of analysts who use industry-leading tools to collect information from all kinds of systems and applications around the clock, and investigate possible security breaches.
Security Information & Event Management (SIEM)
One of the tools that SOC analysts have been using for years is Security Information & Event Management (SIEM). This system collects logs from various sources (servers, applications, network devices, etc.), correlates the data and provides real-time analysis and notifications of suspicious events.
However, the challenge of a SIEM is that it requires you to collect a lot of logs from a variety of systems. Not all of these systems are built with cyber security in mind, so the data is not always relevant. So in the end, SOC analysts usually have to look for a small needle in a huge haystack. For this reason, a SIEM alone is no longer sufficient for detecting advanced security attacks.
Network Detection and Response (NDR)
Analysing network traffic is nothing new in the security world. After all, network traffic is one of the sources analysed by a SIEM, but a SIEM has blind spots. A Network Detection and Response (NDR) system will complement it by offering a broader view.
NDRs focus on the interactions between different devices on the network and use advanced behavioural analysis algorithms complemented by machine learning and artificial intelligence (AI).
This enables NDRs to automatically determine the risk level of network traffic and to detect anomalies, even in the case of attacks of an as-yet-unknown type. Because of the broader context it uses, SOC analysts receive fewer but more relevant threat reports.
Endpoint Detection and Response (EDR)
Due to the accelerated digital transformation and increase in telework, endpoints have become the new perimeter, so you have to assume that any endpoint can be compromised. Detecting and blocking threats is best done at the level of the endpoint itself.
That’s what an Endpoint Detection and Response (EDR) system does. This system is installed on the endpoint device, and continuously monitors and analyses the use and data of the endpoints. Abnormalities in user behaviour (possibly indicating a cybercriminal who has broken into the user account), device processes or the software itself (possibly indicating the presence of malware) are thus detected at the source and reported as quickly as possible.
While a SIEM mainly collects information, NDRs and EDRs also have far-reaching capabilities for responding to threats automatically. For example:
- If an NDR detects suspicious network traffic, it can send a command to a firewall to block it
- If an EDR detects suspicious user behaviour on an endpoint, the user's account can be deactivated preventatively, and the PC can immediately be isolated from the network to prevent further damage
These automatic responses ensure that any threat detected is eliminated as quickly as possible, which gives cybercriminals fewer opportunities to cause damage to your systems and reduces the operational impact of cyber threats. That’s why EDR and NDR are the most important new tools to allow SOCs to respond quickly and efficiently.
Managed Detection & Response offers many benefits to your organization. Take a closer look at how this solution can drive cost-effectiveness, while still allowing you access to the most up-to-date detection and response technologies available, 24/7.