Detecting malware and other kinds of threats is more important than protection in cyber security, Michael Wignall, CTO for Microsoft UK believes.
Detecting intrusions as soon as possible and responding to them effectively are essential for a sound cyber security strategy, Wignall said.
In July, a question was thrown at a panel of security professionals and IT experts about whether it was possible to prioritise either detection or prevention in cyber security. Responding to the query, an overwhelming number of experts stated that organisations need to invest in both and must maintain a balance between prevention and detection.
‘How many firms have guards, and utilize locks and alarms on their doors, yet have motion detectors and/or security cameras inside their buildings? The same is true in the information security world. It is necessary to have both preventative mechanisms as well as ways to detect and address breaches after they have already occurred,’ said Joseph Steinberg, founder of SecureMySocial.
‘The key is finding the right balance of the two given an organization’s risk profile. For most enterprises, security investments are substantially “overweighted” in favor of prevention. A rebalancing exercise that emphasizes detection and response capabilities will typically pay significant dividends,’ said Jason Straight, Senior VP of Cyber Risk Solutions and Chief Privacy Officer of UnitedLex Corp.
However, Michael Wignall, CTO for Microsoft UK, thinks that detection is essentially more important than prevention in cyber security. Speaking at the Microsoft Decoded event in London, he said that his belief comes from the fact that on an average, a hacker spends as many as 144 days on a network before being detected.
To reduce detection times, Wignall added that enterprises should embrace machine learning and artificial intelligence as soon as possible.
‘It’s vitally important to understand your technology environment and how it’s changed – you’re now much more connected than ever before. We have to think about cybersecurity in a very different way.
‘A lot of the threat isn’t as targeted and sophisticated as you might think, it’s actually much more opportunistic – they’re taking advantages of some of the changes in the tech landscape. If you’re not taking advantage of AI in your systems, you better believe that the attackers are – so you’ve got to keep up,’ he said.
Wignall may be right to an extent. Over-reliance on perimeter security has made a large number of firms in the UK vulnerable to sophisticated cyber threats in the recent past. While prevention tools like firewalls, IDPS, antivirus, content filtering and anomaly detection are impacting employee productivity, they have also been found to be less effective compared to solutions like end-to-end encryption and two-factor authentication.
Hence, enterprises must invest on effective detection tools and techniques to ensure that malware, ransomware or spyware can be detected, isolated and destroyed before they can cause significant damage. According to CybeRisk, a number of new detection techniques have been rising to the challenge.
‘Detection technologies have been rising to the challenge, with the growth of platforms for the analysis and correlation of network events and logs, such as security information/event management (SIEM), User and Entity Behavior Analytics (UEBA), context-sensitive Data Loss Prevention methods, and the development of dedicated Endpoint Detection and Response (EDR) systems,’ it says.
‘But detection alone isn’t enough – unless the enterprise objective is to keep security operations center personnel chasing their tails in the follow-up to a continuous barrage of alerts and reports. Detecting threats is only part of a solution which requires swift and definitive action to stop them, and/or mitigate their effects,’ the firm added.