Detection & Response First. Prevention Second.

In the early days of cybersecurity, it was all about prevention, prevention, prevention.  You’d implement a firewall, install some anti-virus and do everything you could to prevent the bad guys from getting over, under or around your digital fence.

Not so much anymore.

Experience and research shows us that while effective prevention strategies are essential, detection and response are even more important, for three reasons:

  1. Prevention will never be perfect.
    The limitations of prevention efforts have long been recognized as a fact of life in cybersecurity, but they’ve become even more apparent as organizations become more connected, exposing themselves to vulnerabilities from third party networks, IoT devices and cloud services. Organizations also find that educating employees at every level to consistently observe cybersecurity guidelines is an up-hill battle. Sometimes these weaknesses enable each other—note that the Target breach in 2013, now estimated to have cost the company $300 million, was enabled by a phishing attack on a third-party vendor.
  2. Threats are constantly evolving.
    Hackers adjust to the security programs we employ and are usually the first-adopters when it comes to leveraging sophisticated artificial intelligence (AI) technology. As a result, even today’s leading threat protection solutions can frequently miss zero day and malware hacks.
  3. Limiting damage is essential.
    Detecting intrusions before they can do major damage is critical. On average, intruders remain active in a network for up to 122 days before being detected. Detecting them sooner can substantially reduce their impact.  Measure your detection in minutes – not days.

Challenge Accepted

Effective detection and response strategies require the right tools, the right skillsets and the full collaboration of key stakeholders.

Fortunately, detection tools have made major advances. Security Information and Event Management platforms (SIEM) provide real-time analysis of security alerts that are generated by applications and network hardware. User and Entity Behavior Analytics (UEBA) look for meaningful anomalies in system user behavior.  Cloud Access Security Brokers (CASB) warn administrators about potentially hazardous activities related to cloud services. And Endpoint Detection and Response (EDR) systems monitor employee connections to the enterprise network from other devices.

These highly effective tools are great, but most hedge funds and private equity firms don’t have the time or resources to evaluate these tools, purchase and implement, and then optimize and manage the technology effectively.  This is where many of our clients go looking for a security provider, and those concerned with partnering with a vendor who knows their industry, specifically, usually end up with Agio.

That covers detection, but there’s still the response to be reckoned with…because you don’t want to be caught flat-footed when the inevitable occurs.  Time to respond directly correlates to how much a breach will cost you.  This means your Incident Response (IR) plan needs to be comprehensive, and it needs to be regularly updated and tested to address any changes in data assets, systems, personnel and legal mandates. To make this happen, your cybersecurity governance team will need the active participation of Technology, Legal, Human Resources, Investor Relations, Compliance and Risk Management executives.  Everyone has a seat at the table, and they need to show up and take it seriously.

Your plans should cover:

  • The securing of data through necessary patches or fixes along with testing to spot any gaps in the security process.
  • The development of an accurate description of your categories of data, which enables you to find out quickly if financial information, social security numbers, medical records and other personal information were exposed.
  • Detailing who is a part of your incident response teams, what their responsibilities are, how the scope of the breach will be determined, how customers and/or investors will be notified, how legal and compliance requirements will be met and how you will manage communications.

Faced with a situation which, when first detected, may still be unfolding and not yet fully understood, your leaders will be more confident in making difficult decisions if the organization has taken the time to develop its response capability, kept that capability up to date, and practiced it enough so you’re not completely blindsided.