It’s Cybersecurity Awareness Month! In honor of the theme — Do Your Part. #BeCyberSmart — we’re doing our part by educating organizations and IT teams on protecting themselves. Throughout October, the JumpCloud blog will focus on top cybersecurity issues, from IT admin best practices to CISO responsibilities. Tune back into the blog this month for new cybersecurity content or check out our archive of existing security articles for cybersecurity insights written specifically for the IT professional.
After much of the business world went remote in 2020, data breaches rose significantly — not just in number, but in cost and impact as well. In fact, IBM found that the average data breach now costs $4.24 million.
The same study found that data breaches take an average of 212 to detect and another 75 days to contain. So if there are any hackers currently on your network, chances are, they know what you did last summer. And even though they probably won’t mail you ominous letters or carry a hook for a hand à la the classic ‘90s slasher flick, they can still wreak havoc on your business.
That’s because, in the 212 days they sat on your network undetected, they had been watching, waiting, and learning. This time window, called the breach detection gap, indicates a problem in the way companies monitor and detect threats on their network.
Why don’t companies notice breaches sooner? How can they protect themselves against breaches and detect them when they occur? In this blog, we’ll explore causes of the breach detection gap, what can happen when a hacker infiltrates your network without your knowledge, and how to better detect and protect against breaches.
Breach Detection Gap Driving Factors
The breach detection gap is the result of both stealth on the hacker’s part and failed detection on the company’s part. Sometimes, hackers choose to wait quietly once they’ve compromised a network to avoid detection. Other times, they may be working in the background and the network failed to detect the threat. Let’s explore each scenario.
- Gathering intelligence. If your SIEM solution is well-configured, hackers won’t have much time between making their breach known and accomplishing their objectives — i.e., stealing as much data as they can. Therefore, hackers sometimes wait to take action once they gain access to your network. By waiting, they can monitor your network and gather intelligence on your security systems, data, network pathways, and more. Hackers can use this information to position themselves for an advantageous attack once they strike.
- Failed detection. Sometimes, hackers act quietly in the background, and companies fail to detect it. This can be due to a number of factors, but they usually come down to poor security, monitoring, or detection.
Why Do Companies Fail to Detect Breaches?
The rise of remote work and the novelty of distributed infrastructure generated infrastructure complexity that hackers have learned to use to their advantage. Because the shift to remote work was rushed for many at the onset of the pandemic, many IT teams are still ironing out the kinks. Hackers are aware of some common remote infrastructure issues and have learned to exploit them, both for initial infiltration and to fly under the radar once inside the network.
In particular, some of the complicating factors that make it difficult to detect breaches include:
- Increasingly complex networks. The integrations and automations that remote infrastructures require add layers of complexity to the network. IT teams that aren’t familiar with this new infrastructure format inside and out may be apt to miss an indicator of compromise (IoC).
- Failure to understand IoCs. Security solutions and IT teams alike may not be primed to be able to correctly identify IoCs within their newly remote environments — e.g., they may be erroneously labeled as non-threatening or low priority. For IT teams, correctly identifying IoCs takes a deep understanding of the network infrastructure as well as diligent training. When it comes to security solutions, they need to be robust, layered, and unified. Many companies are turning to identity-driven policies to govern network access and a Zero Trust approach (detailed below) rather than traditional perimeter-based security.
- Lower IT bandwidth. When the world went remote, IT teams were faced with a deluge of challenges, many of which they’re still working to overcome. One of these was their decreased efficiency that came from the initial switch to remote work. When paired with the increase in end-user requests also brought on by employees adjusting to remote work, IT teams found themselves pulled in many directions and less able to devote sufficient time to monitoring their network.
- Lack of unified oversight. In a distributed environment, security isn’t reliable when siloed. Instead, companies need to make sure their security spans the entire network, viewing it holistically instead of a conglomeration of individual applications.
How to Improve Detection
Whether a hacker infiltrates your network, either waiting or jumping into action, your systems need to be able to immediately detect the threat and alert you to it, stop it if possible, and mitigate the threat if not. The following approaches and solutions help IT teams set up a system capable of doing so.
Zero Trust Security
Zero Trust, considered a must in today’s modern business environment, is the modern-day response to outdated perimeter-based security: once the physical perimeter dissipated, so did the efficacy of traditional security. In its place, Zero Trust security always prescribes verification before authorization, a principle summed up by the Zero Trust mantra: trust nothing; verify everything.
With Zero Trust, users, devices, and networks must be verified with approaches such as multi-factor authentication (MFA) rather than a simple username/password before they’re granted access to their resources. This is true of all login attempts, not just initial network access, which helps prevent lateral movement in the event of a breach. Identity-based policies bolster this effort, ensuring users are only assigned access to the resources they absolutely need and automating role-based authorization.
Monitoring and Reporting Tools
Monitoring and reporting tools should approach the infrastructure holistically rather than application by application. They should be able to deliver insights on device, user, and network status and activity, drilling down to granular insights and reliably flagging suspected IoCs.
Insights are best delivered as part of a unified directory, where the directory that manages all of the organization’s users, devices, networks, and resources can report on their activity holistically, adding context and aiding in analysis. For example, JumpCloud®, a cloud directory platform, offers Directory Insights that report on every identity, device, and resource in your organization. It gathers them into contextualized and manipulable reports that allow for quick analyses as well as detailed drill-downs.
Unified Directory
As organizations bring on more applications and technology to accommodate remote work, IT needs to keep all the moving pieces unified. While traditional directories tend to stick to on-premise resources and fail to unify a largely cloud-based infrastructure, cloud directories are emerging to fulfill this need.
JumpCloud, for example, is a Zero Trust platform that can unify everything from users to all of their applications, controlling access, identity, security, and insights in a single platform. See how it works in our free demo.
Next Step: Establish Zero Trust
Even with the right detection tools, your organization is at risk of compromise if it’s still operating on a perimeter-based security model. The first step to achieving better security is to transition to a Zero Trust model — especially for companies working with remote or hybrid-remote teams in distributed environments. To learn more about how to get started with Zero Trust, download the free whitepaper, Zero Trust Security: A Transformative Way to Secure Your Hybrid Workspace.