Security strategies can be planned in several ways. One is through threat detection where the objective is to find anomalies, analyse their threat level, and determine what mitigation actions may be required. For this process to be effective, there needs to be a structure.

Two security experts from Sony, Charles Anderson and Chris Ogden, shared their experiences building a global detection programme at RSA Conference 2019 Asia Pacific & Japan. To re-kindle memory, Sony Pictures, the TV and film production/distribution unit of Sony, suffered one of the biggest hacks of 2014. Personal information about Sony Pictures employees and their families, emails, executive remuneration and copies of un-released Sony films were leaked. 

So I am sure the two security experts have good experience in threat detection. They believe that the ability to quickly and accurately detect threat and high-risk activity is key to any cybersecurity programme. In their RSAC 2019 APJ session, “Lessons Learned From Building A Global Threat Detection Programme,” they spoke at length about the necessity of putting in place a dedicated programme to develop, measure efficacy and refine detection content.

One key advice is to automate the threat procedures as much as possible. Almost anything that is procedurally well-defined can be automated. Because there are large data sets across departments, automation will improve the collection and analysis of data.

It will also ease bulk updates to the system. The aim here is to improve consistency and efficiency. Besides, there is a shortage of cybersecurity professionals, so automation does help to cut down the workload for the people.

Automation will also offer threat analysts better visibility into the threat situation quickly, allowing them to co-relate different data points faster and ultimately generate reports for senior management in a timely fashion.

The thing about automation, said Anderson and Ogden, is that they can be configured for different types of anomalies. So when a threat alarm goes off, the security team can quickly validate threats and eliminate false positives. Analysts can then respond appropriately. 

Threat detection must also be available laterally across the ICT infrastructure including the entire cyber kill chain, networks, email systems and authentication and applications server. Just think about it: there is no point of having the detection available only in some buckets and not others. No efficiency and effectiveness will come out of this.

Measurement can be a bore, but it is required for efficacy. Measure how well the detection content performs. Ideally, it should take as little time as possible so that the analysts can quickly review and respond.

In any measurement, there will be false positives. No point running after every positive reading, it is not productive. So the team must learn what the false positives are so reaction time will be spot on.

Measurement provides data on investigations and threats from which insights are derived. So data must be reviewed regularly to get insights which will go a long way to block or prevent future attacks.

Threat detection methods have new innovations. Anderson and Ogden suggested exploring new technologies like heuristics that can target suspicious behaviour. Heuristics can play a major role to detect previously unseen threats.

Don’t forget threat intelligence. Human adversaries also exhibit patterns. Their playbooks exhibit behaviour that offers clues to the type of attack. For example, each time a malware accessed the system, it would look for IP addresses or which devices map to this host. Aggregating all these data points will give can help the threat detection team respond more effectively.

On top of all of these tips, it is critical for the detection team to speak the business language. The team has to demonstrate that their work is adding business value, otherwise it is another item on the budget, in which case, the company may invest in other security projects.

Contributors: