Security leaders acknowledge that the term “assume breach” that was the new “It” thing in defense strategy and enterprise security investment, is close to retirement in the current scenario
The large part of the information security budget has been focused on building an unbreakable defense perimeter and reactive reply to the evidence-based breaches. It has served the purpose of encouraging enterprises to update their security infrastructure by adopting zero-trust network segmentation, better deployment of multi-factor authentication software, insider threat detection, and restricted access controls.
Considerable investments made in the enterprise-wide visibility should have been capable of reversing the decade-old motto that a hacker needs to be accurate once while the defender must be correct at all times. However, in the current scenario, security teams are handling issues instead of detecting the issues. That is possible only when the enterprise has proper security measures.
The majority of the enterprises have under-staffed security departments. Thus significant advancements made in the enterprise-wide visibility tend to have best-case scenarios add numerous alerts to the “never-completed” to-do list for the enterprises.
Security budgets have been modified to match the current needs. A higher percentage of the budget has been allocated to enhancing the infrastructure’s visibility to detect better, block, and prevent threats.
The best-case scenario for such a solution is quite bleak, as security teams are expected to have resources that would monitor the threats 24/7. There are several drawbacks to this strategy.
Monitoring a system continuously is a costly affair. In these situations, it is suggested that automated detection is deployed. The drawback associated with automaton detection is that it has a high rate of false-positive alerts and baseline tuning. This situation is similar to a CCTV monitoring of domestic premises. To avoid false-positive situations, it is advised to opt for two separate threat monitoring tech where one will identify threats and the other will confirm on it.
No automatic response limits for automatic detection
As automatic detection has a history of false-positive, its best that automatic measures can be reversed throughout alert response time. Such a step allows security teams to analyze the alert when an automated response is underway. If the alert is false, the security team can roll-back the response without affecting the workflows.
Balancing prevention and detection
Striking a proper balance between prevention and detection is vital and needs to be adopted across the industry. It’s good to have monitoring software to detect malicious actors. Still, it is equally important to have preventive tech that will block such actors from gaining access to the security profile. Investment in prevention tech will be threat reactive, and modern detection tech tends to be useful in identifying behavior inconsistencies.
The term “assume breach” has served its functionality of encouraging enterprises to consider and invest in operation programs and security technologies. The security term needs balance redressing in the current scenario. It can be done with advanced machine intelligence and cloud-SIEM platforms embedded in the organization’s visibility and detection requirement. SecOps teams are responsible for handling both posture and alert fatigue.