There has been a lot of discussion around Detect & Respond but there remains a number of misconceptions and misunderstandings about this particular cyber security framework. Many companies hold the notion that perfect security isn’t achievable, and perhaps they’ve given up hope on blocking cyber attacks through preventive measures. Therefore, most flock to Detect and Respond instead. But Detect and Respond has its own pitfalls, which we’ll cover in this blog piece.
What classifies as Detect and Respond?
The Detect and Respond framework, in the realm of cyber security, refers to the ability to discover cybersecurity incidents in a timely manner (“detect”) and develop as well as implement the appropriate actions to take against such cybersecurity incidents (“respond”).
As a result, the “detect” aspect of the framework includes security approaches and technologies that support continuous security monitoring, and the “response” aspect includes response planning and mitigation. It’s false to assume that solely implementing Detect and Respond capabilities can make up for a weak implementation of preventive measures (vulnerability management systems, intrusion prevention systems, WAF) against cyber threats.This is a particularly dangerous mindset.
Detect and Respond Pitfalls
The major flaw with Detect and Respond is that once a cyber attack is in full effect, for example a malware infestation that has taken over a system, then it becomes really hard to tell the immediate impact of such an attack. This makes detecting and responding even more difficult. Consider the following analogy: Detect and Respond is like monitoring the activity within your brick and mortar shop through security cameras…but without someone behind the seats monitoring those security cameras 24/7 and with no installed alarms to notify you.
To find out if you’ve been robbed, you’ll have to personally check the footage in the next few hours or the following morning. Moreover, if a burglar did manage to break inside and steal something, then it becomes harder to respond to the situation since: A) the burglar might be unidentifiable, having probably worn a mask, thus making it challenging for police to track down and B) the likelihood of retrieving those stolen items is almost close to zero.
One thing’s for sure: no company would implement the above security strategy if Detect and Respond were explained through that analogy. This is not to say that Detect and Respond does not or should not play an important role in your security strategy. However, once a company comes under attack, just having Detect and Respond capabilities does not suffice and it is predicted the company will likely suffer monetary losses, too. Solely relying on preventive measures does not work either as that simply presents a false sense of security.
Take for example the different cases with data breaches. The cause of the breach may have been the result of weak or stolen passwords. But that doesn’t equate to the same thing, as weak passwords are not the same as stolen passwords. Preventive measures would protect against weak passwords by ensuring that passwords are not set to its default (e.g. password, admin), and Detect and Respond would deal with monitoring the stolen passwords and the respective accounts. As exemplified, the best cyber security strategy for any business should always include both, Detect and Respond as well as preventive measures.