In the past, organizations might have been able to get away with firewalls and antivirus software as their primary defenses against cybercriminals. Unfortunately, those days are long gone. Defending against today’s threats requires a more active approach capable of evolving alongside attackers and their ever-changing tactics. “Set it and forget it” security tools are no longer an option. Today’s organizations need to continuously evaluate the effectiveness of their security controls, identifying potential weaknesses, vulnerabilities, compliance issues, and other problems.
Determining the effectiveness of these tools isn’t always easy, though. What’s more, company leaders are generally interested in knowing more than just how security solutions deal with threats. They want to understand the value the tools provide and whether they are generating enough ROI to justify continued use, which can be difficult to measure in specific, quantifiable terms. Fortunately, there are options available. Organizations seeking to understand the performance of their security solutions better should focus on a few key areas.
1. Gauging Attack Surface Awareness
Building a wall to keep attackers at bay isn’t sufficient in today’s threat landscape. Eventually, one or more will get in. It simply isn’t possible to stop 100% of threats, meaning that security should shift from focusing on perimeter protection to in-network detection. To be successful, organizations need awareness of things like exposed credentials, misconfigurations, potential attack paths, and other vulnerabilities that attackers are likely to exploit.
There is a wide range of tools available that can help. Endpoint Detection and Response (EDR) tools provide visibility into attacks on endpoints, while Extended Detection and Response (XDR) tools expand upon those capabilities by integrating with other solutions. Attackers will almost always look to compromise Active Directory (the service that handles authentication throughout the enterprise), which is notoriously difficult to secure. Detection tools capable of identifying suspicious AD queries and other potential attack activity can help prevent the nightmare scenario of a compromised AD.
Of course, identity security is also increasingly critical. While traditional EDR tools and AD security solutions don’t offer the identity protection needed in today’s environments, Identity Threat Detection and Response (ITDR) solutions have emerged to fill that gap.
It all comes down to coverage. Organizations can assess the degree of awareness they have in the network. Identity controls without endpoint protections can leave their networks dangerously vulnerable, as can endpoint protections with AD security. And as more and more organizations embrace the cloud, new cloud environments will expand the attack surface even further. Ensuring sufficient visibility across the entire network is a critical first step in assessing the effectiveness of an organization’s tools.
2. Investigating Permissions and Entitlements
Overprovisioning is a serious problem today. IT teams generally do not want to interfere with business operations, which means it is easier to provide users and other identities with more permissions than they need rather than risk impeding someone’s job function. Unfortunately, identities often end up with entitlements that far outstrip what they actually need to do their jobs. Consequently, when attackers compromise those identities, they also have access to far more data than they otherwise would have.
Implementing a Zero Trust Architecture (ZTA) is one way of dealing with this challenge, providing identities with only the minimum level of access they need to function and continuously validating that they are who or what they say they are. To that end, organizations need tools to identify excessive permissions and other potential vulnerabilities throughout the network. Organizations should regularly audit and update these permissions to ensure they remain appropriate, and that someone can examine those audits. How many excessive permissions were detected? How many obsolete or orphaned credentials did they expunge? Proper awareness across the network can help IT teams gauge how effectively they are managing their permissions.
3. Measuring and Improving Detection Accuracy
Security alerts are good—ostensibly, they indicate that security tools are functioning correctly and detecting threats. Unfortunately, that isn’t always the case. Suspicious-looking activity often turns out to be harmless, resulting in a false alarm that wastes the security team’s time with useless investigation. These false alerts can result in alert fatigue, with excessive false alarms drowning out the actual threats needing remediation.
Tracking the false positive reporting rate (FPRR) can help security personnel understand the quality of their alerts. If the FPRR is too high, it may be time to look into newer, more accurate tools. Today’s detection technology often comes armed with artificial intelligence and machine learning (AI and ML) capabilities that allow them to learn over time and substantiate alerts before relaying them to the security team. These high-fidelity alerts reduce the overall alert volume and enable network defenders to focus on actual threats rather than chasing ghosts.
4. Understanding the Effectiveness of Automation
Automation is useful for more than reducing false alarms. It isn’t always feasible to manually remediate all threats at today’s attack volumes. Fortunately, today’s tools can automatically correlate attack information from different sources and display it on a single dashboard for assessment. By creating playbooks for certain types of attack activity, these tools can automatically remediate specific threats before even bringing them to the attention of a defender. This automation accelerates and simplifies incident response, addressing threats as soon as they are detected and stopping them before they can escalate and spread throughout the network.
Incident response volume is a good way to gauge how effective these controls are. The number of incidents reported as open, closed, or pending can provide insight into how well automated tools deal with threats. Too many open or pending incidents doesn’t bode well, but a significant number of verifiably closed cases means the system is doing its job.
Today’s threats are wide-ranging, and modern attackers don’t just focus on large organizations. Everyone is at risk, and organizations large and small need to have appropriate protections in place and the knowledge and resources necessary to gauge their efficacy. Fortunately, assessing things like network visibility, entitlement management, and incident and false alarm reporting can help organizations determine their overall network health and how well their defenses are faring.
This information can also help security teams generate additional buy-in from CISOs and corporate boards when enhancing and expanding their network defense capabilities. As attackers evolve, network defense tools evolve alongside them, and helping today’s business leaders understand the steps needed to stay one step ahead of the cybercriminals is essential. Given that the average cost of a data breach in 2021 rose to $4.24 million, effective security solutions have never been more critical.