Are you ready to respond to security threats before they turn into a breach?

With bad actors now averaging a breakout time of 62 minutes, this leaves many security programs unprepared to deal with security incidents before they escalate into a breach. So how do you measure the effectiveness of your ability to respond to breaches? It comes down to two capabilities, coverage and speed:

Coverage

Ensuring that you have the right level of defenses to protect and detect bad actors is one of the most important steps in ensuring that your security program can effectively respond to incidents. After all, how are you going to respond to malicious activity that you didn’t know happened?

Speed

Once you have the right defenses in place, you have to act quickly enough before the bad actor is able to escalate through actions such as lateral movement. I mentioned above that bad actors now take an average of 62 minutes to breakout, but the fastest bad actors are now able to breakout in just over 2 minutes.

One of my greatest fears as a security leader was whether our defenses were functioning properly. That being said, the fact that bad actors are now getting lateral movement in minutes will definitely be keeping CISOs up at night.

What Can You Do?

When it comes to measuring the coverage of your security program, the MITRE ATT&CK framework is one of the quickest ways to figure out how well your security program is performing. In previous security programs that I’ve led, I’ve had our security operations teams map our incidents to the MITRE ATT&CK framework, giving us a clear idea of where our defenses were working and where they weren’t.

One of the biggest flaws in solely relying on this approach is that data is collected post-incident, which is good in that it allows you to find areas for improvement, but also leaves an opportunity for bad actors to take advantage of unassessed holes in your program. No one wants a hacker trying to do harm to your systems to be your red team. In order to address this risk you have to be prepared by having a comprehensive assessment of defenses before an incident or breach happens.

When it comes to speed, Crowdstrike has popularized the 1-10-60 rule, which gives realistic and useful targets for security operations programs to measure their ability to respond against. 1-minute being the time to detect security incidents, 10-minutes to start investigating, and then 60 minutes to remediate. As an example Amazon Web Services publicizes that their teams have a 5-minute response time for critical incidents. This may sound intense for some security leaders that lack resources, but this is the threat landscape that we’re living in today. The solution for most will likely be a blended approach of tooling and people to help achieve the 1-10-60 rule, but the specific challenges for each security program will vary.

One of the best ways to gauge your program's response ability is with blue teaming exercises. However, having the resources to put together such exercises is usually too expensive for many programs to maintain. In lieu of holding blue team exercises, working with a good pentester and carefully crafting a fairly wide scope is one of the best ways to test your defenses and determine how quickly your team is able to respond to security incidents.

Want to be proactive in determining how well your security program is functioning? Reach out to the Kustos team today to assess your ability to respond to security incidents and learn more about how we can help prevent breaches with our Cyber Defense assessments and Red Teaming exercises.