Cyber attacks are no longer unexpected. In fact, just the opposite. Incidents proliferate as threat actors enjoy continued success with phishing and web drive-by attacks. Ever evolving, attackers often shift their approach to file-less techniques using macros and scripts to evade preventive defenses and remain undetectable.
Social engineering and business compromise scenarios, no longer the amateurish efforts of yesterday, operate outside the scope of defenses and play on human urgency, expectations, and trusted entities. Not to be forgotten are nation-states and organized crime. Their long-term reconnaissance, quiet entry, and ability to remain below the radar and maintain persistence within targets continue to set a high bar for sophisticated cyber attacks.
While the mindset of security leaders has shifted from keeping bad actors and malware out to realizing that malicious intruders and insiders are operating within environments undetected, organizations remain ill-prepared and hampered in their efforts to enact post-breach detection and response efforts.
As attackers continue to succeed, security leaders have responded by spending millions of dollars to consolidate alerts, events, and logs into SIEMs with little to no improvement in post-breach attack detection or reduction of dwell time. Despite investments in preventive technologies, attackers routinely compromise seemingly secure organizations and steal financial assets, intellectual property, and sensitive data.
The lack of proper tools combined with alert overload, alert fatigue, and manual processes creates a perfect storm wherein the most important alerts supported by content and context within larger conclusions may be missed or, because of limited staff, dismissed. Even more worrisome, the chances are high that hidden threats are already in the organization’s network. Focused human adversaries know how to evade most security and monitoring tools by making their attacks look like normal activity. While organizations want to hunt for unknown threats, the state of being ‘constantly behind’ makes it virtually impossible to get in front of the situation – even if the tools, data, and expertise were available.
It’s well understood that the more accurate the post-breach detection, the faster security teams will be able to address the risk; however, with limited visibility, security teams are unable to detect blind spots and black holes and are forced to act on incomplete or, worse, inaccurate information – leaving organizations open to increased risk and potential data loss or theft.
Maturing Advanced Threat Defense
When it comes to detecting and responding to threats and preventing data loss, speed and accuracy are everything as the machine initially compromised is almost never the one the intruder needs to accomplish his or her objective. The adversary must move laterally, burrowing deep in the network to find desired targets. With an average breakout time of less than two hours from a compromised system to lateral movement, security teams need to be able to quickly detect and respond to attacks that penetrate security defenses and resolve them before they do irreparable harm. However, the gap between time of compromise and time of detection is one of the main failures noted when investigating a breach.
With threat actors claiming victim after victim, it’s obvious that an outdated, fragmented approach to cyber defense is unsustainable. To defend against determined attacks, organizations must mature advanced threat defense capabilities in order to reduce the Mean Time to Detect (MTTD) and apply automation to improve their Mean Time to Respond (MTTR). To that end, industry analyst firm Gartner recommends that IT security leaders shift from prevention-focused defense to one that prioritizes post-breach detection and response and lays the groundwork for threat hunting.
In order to do so, Gartner recommends adopting a curated technology With threat actors claiming victim after victim, it’s obvious that an outdated, fragmented approach to cyber defense is unsustainable. To defend against determined attacks, organizations must mature advanced threat defense capabilities in order to reduce the Mean Time to Detect (MTTD) and apply automation to improve their Mean Time to Respond (MTTR). To that end, industry analyst firm Gartner recommends that IT security leaders shift from prevention-focused defense to one that prioritizes post-breach detection and response and lays the groundwork for threat hunting.
In order to do so, Gartner recommends adopting a curated technology stack from vendors that integrate Network Traffic Analysis (NTA), Endpoint Detection and Response (EDR), and sandboxing; and to consider lean-forward defenses such as deception. In addition to evaluating vendors on their ability to deliver a curated security technology platform, Gartner recommends that enterprises also evaluate vendors on their ability to provide Managed Detection and Response (MDR) services using the same curated technologies.
By adopting an integrated technology stack, organizations can:
- Increase visibility and detection accuracy across networks, clouds, endpoints, and enterprise IoT devices
- Confirm and stop data theft by inspecting the content of all outgoing network traffic
- Achieve deeper insights through consolidated and correlated information that delivers content and context for post-breach detection and response
- Strengthen the security stance by identifying and responding to attacks throughout the attack lifecycle
- Maintain in-house knowledge and control over security technologies for optimal use and advancement of security capabilities
Fidelis Elevate™ – Your Force Multiplier for Automating Detection and Response
Fidelis Elevate™ provides a rich source of metadata for real-time and retrospective analysis by integrating network visibility, network data loss prevention, deception, and endpoint detection and response into one unified solution to deliver automated threat detection and response across networks, endpoints, cloud and enterprise IoT environments. It provides threat visibility and intelligence with content and context to help organizations quickly address cyber attacks across the entire threat lifecycle – from initial intrusion to exploitation to data theft – as well as hunt for unknown threats deep within the network.
Detected threats are presented as a conclusion that was determined by validation from network to endpoint, contextual enrichment, and correlated threat activity to enable the analyst to take rapid, responsive and often automated action. By delivering comprehensive visibility, alert validation, and increased speed to respond, it enables security teams to focus on the most urgent threats and protect sensitive data rather than spending time investigating and triaging thousands of alerts.
Fidelis Elevate includes the following security products, which can be deployed and activated as a complete Elevate platform or individually based on an enterprise’s needs:
- Fidelis Network: Provides unmatched network traffic analysis (NTA) leveraging patented deep session inspection with five locations for sensors (direct, internal, cloud, email, and web) to produce hundreds of metadata attributes about content and context for real-time and retrospective analysis for threat detection, threat hunting, and data loss and theft.
- Fidelis Endpoint: Provides endpoint detection and response (EDR) for visibility of all endpoint activity with automated script responses, plus the option of endpoint prevention (EPP) on and off networks in a single agent. Real-time detection uses behavioral rules and indicators while security analysts can also use third-party feeds and custom rules for threat detection, as well as hunt for threats directly on the endpoint, in both the file system and memory, using YARA and Open IOC.
Fidelis Deception: Provides a post-breach detection defense with high-fidelity alerts and minimal resources due to automation creating, adapting, and freshening deception layers. Auto-generated decoys and breadcrumbs make deception deterministic, luring attackers from compromised hosts to decoys. Deception also provides detection for legacy systems, shadow IT, and enterprise IoT devices.
Fidelis Managed Detection and Response Service.
Fidelis Managed Detection and Response can augment existing SOC operations or act as a trusted security team running the Fidelis Elevate curated security stack and leveraging the DNA of Fidelis’ rich metadata. Fidelis MDR delivers industry-best talent and solutions to proactively hunt for threats, fully investigate, respond to detected threats, and stop attacks and data theft.
The 24×7 Threat Analysis Center is staffed by a team of highly trained security analysts and incident responders who have supported over 4,000 incident response cases and provided expert testimony in more than 100 court cases for commercial and federal clients. Fidelis MDR includes deception to lure adversaries away from critical assets and sensitive data to decoy environments that look and feel real. By ensuring faster threat detection and response to advanced threats and preventing data theft, Fidelis MDR enables organizations to focus on their core business.