Enhancing your security operations with Active Defense
Cyber attackers are growing more sophisticated and ever more destructive and, according to the trends identified by EY’s latest Global Information Security Survey (GISS), most organizations are struggling to keep pace.
The next iteration of continuous improvement is to add Active Defense to existing security operations to enhance a holistic cybersecurity program.
Active Defense is a deliberately planned and continuously executed campaign to identify and eradicate hidden attackers and defeat likely threat scenarios targeting your most critical assets.
Even organizations with a Security Operations Center (SOC) often lack the capability to proactively search for cyber threats, and this is where Active Defense enhances organizational effectiveness. By employing a deliberate operational cycle to plan, execute, and review intelligence-driven activities to implement targeted countermeasures, fortify defenses and hunt intruders, Active Defense practitioners can provide the organization with the capability to identify and eradicate latent attackers that circumvent traditional security monitoring and target your intellectual property and business systems.
Preparing an Active Defense
- Stage 1 – Identify internal critical assets
First, cyber defenders must understand the organization’s assets that are most coveted by potential attackers. The assets to be defended are generally associated with critical business functions and consist of important applications and systems along with sensitive data repositories.
Relevant assets are those that subject the business to serious consequences should they be manipulated, stolen, or taken offline (such as intellectual property, future innovation, employees’ or customers’ personally identifiable information or payment card information).
- Stage 2 – Add environmental context
Next, defenders must develop an understanding of what “normal” means for the organization’s network, because Active Defense includes strong anomaly analysis and hunting components. Sophisticated attackers can use compromised credentials or illicit accounts and blend with regular user behavior; however, alert and experienced security analysts may recognize malicious activity when they see it, provided they have a model for normal behavior on the network.
- Stage 3 - Identify and profile most likely threat actors
Defenders need an understanding of the threat actors that are likely to target their organization.
Defenders should work closely with threat intelligence providers to paint an accurate portrait of the threat landscape with as much detail as possible. If possible, specific threat actors should be named and analyzed to gain insight that will be leveraged in defensive activities.
- Stage 4 - Conduct Active Defense missions
A key facet of Active Defense is the enhanced operational focus and effectiveness realized through the deliberate planning of Active Defense missions. These missions are planned and executed to proactively defeat specific threat scenarios and uncover hidden intruders in the network; this means that defenders’ time can be spent deterring and defeating the enterprise’s most likely attackers, rather than an undefined or non-specific adversary.
Cyber threat intelligence (CTI) helps lay the groundwork for Active Defense and provides context and guidance during operations. Once likely adversaries have been identified, defenders work with their threat intelligence provider to identify specific tactics via cyber kill chain analysis.
Although Active Defense is inherently adversary focused, it is also tailored for specific defended assets — typically the organization’s most valuable proprietary data and business systems. Besides known tactics, additional data is collected and mapped for relevant threat actors and for each defended asset: this information is supplemented with intelligence about current events in your organization’s industry to determine who is attacking your peers and for what purpose.
EY find that these activities tend to generate the greatest returns:
EY’s Active Defense service
All organizations can benefit from the enhanced operational discipline and adversary focus inherent to EY’s Active Defense service. However, the journey to establishing an effective Active Defense varies for every organization – and EY can help.
The maximum effectiveness from an Active Defense program requires appropriate maturity levels in a range of security competencies, including security operations, security monitoring, asset identification and classification, IT operations, threat intelligence, security architecture and others.
By focusing on an Active Defense capability as a strategic goal, decision makers and security practitioners can engage in meaningful discussion about the steps for organizational improvement that will realize benefits:
- Active Defense provides a defined set of improvement activities rationalized by threat intelligence and security analytics, connected to achievable objectives.
- The security team can build countermeasures, hunt hidden intruders and bolster defenses on the basis of real reporting about the behavior of real attackers.
- Active Defense connects resource deployment directly to measures of cybersecurity program effectiveness.
- Effectiveness is demonstrated via a decrease in successful targeted attacks and a decrease in the time required discovering and eradicating the attacks that were successful.
- Active Defense offers your organization an agile operational cycle designed to achieve rapid results and accelerate learning.
- Cyber threat intelligence (CTI) analysis that yields new insights about adversaries or the enterprise and generates recommendations.
- Active Defense missions focused on hunting or fortification.
By organizing and integrating the organization’s existing security operations, Active Defense enhances security monitoring and incident response, reduces the number of successful targeted attacks and decreases the amount of time that intruders can operate before being ejected from the network.
For more details about how we can help, download the full reportor contact our cybersecurity team.