While protective measures help reduce the likelihood of breaches, it’s unrealistic to expect that vulnerabilities will never occur. Attackers are constantly evolving their tactics, and organisations need to operate under the assumption that incidents are inevitable. This is where detect and respond capabilities come into play.
The Secure by Design principle 5 “Build in Detect and Respond Security” emphasises the need for organisations to build security with the understanding that vulnerabilities and incidents are inevitable. This principle highlights the importance of integrating detection, monitoring, alerting, and response capabilities directly into the design of systems and processes.
Detect: The First Line of Defence
An effective detection system is critical for identifying potential breaches early. By employing continuous monitoring and real-time security logging, organisations can gain visibility into their systems and networks. This visibility allows for the detection of unusual patterns or behaviours that could indicate a security incident, such as unauthorised access attempts or data exfiltration.
Real-time monitoring and alerting systems play a pivotal role in enabling organisations to respond swiftly. For example, in a breach involving compromised credentials, real-time detection can immediately notify security teams, allowing them to take action before significant damage is done. Without these capabilities, organisations could go days or even weeks without realising they have been compromised, giving attackers a significant advantage.
Respond: Minimising the Damage
While detection is essential, it must be followed by an equally robust response mechanism. Once an incident is detected, organisations need to have incident response plans in place to contain the threat, mitigate damage, and recover quickly. This involves isolating affected systems, notifying stakeholders, and beginning the recovery process to restore normal operations.
Automated response systems can be a game-changer here. For example, when an anomaly is detected, an automated response can shut down access to critical systems, or redirect suspicious traffic away from sensitive data, all without requiring human intervention. This significantly reduces the time between detection and response, helping to limit the impact of an attack.
Case Study: Tesco Bank Cyber Attack
In November 2016, Tesco Bank fell victim to a sophisticated cyber-attack that resulted in the theft of £2.26 million from approximately 9,000 customer accounts. The FCA said that the attack had been largely avoidable, and that Tesco had not responded to it with sufficient rigour, skill nor urgency.
FCA commented “Cyber security requires resilience. A financial institution’s board is ultimately responsible for ensuring that its cyber-crime controls are designed to meet standards of resilience. The board must set an appropriate cyber-crime risk appetite and ensure that its institution’s cyber-crime controls are designed to anticipate and reduce the risk of a successful attack. Where an attack is successful, the board should ensure that the bank’s response plans are clear, well designed and well-rehearsed and that the bank recovers quickly from the incident. Following an attack the financial institution should commission a root cause analysis and understand and ameliorate the vulnerabilities that made the institution susceptible to the attack to reduce the risk of future attacks.”
Recovery: Preparing for the Future
Cyber security is not just about preventing and responding to incidents but also ensuring that organisations can recover efficiently and continue operations. Building recovery capabilities into security strategies allows organisations to resume operations after a breach without excessive downtime or data loss. This is achieved through regular testing of recovery plans, disaster recovery exercises, and the continual improvement of response processes.
The recovery process provides invaluable insights. Each security incident offers lessons that can be used to iterate on existing detection and response strategies, ensuring that future incidents are managed more effectively. By continually refining these systems, organisations can close weak points where compromises might otherwise go undetected.
Following the attack, Tesco Bank immediately put in place a comprehensive redress programme and devoted significant resources to improving the deficiencies that left the bank vulnerable to the attack and instituted a comprehensive review of its financial crime controls. It has made significant improvements both to enhance its financial crime systems and controls and the skills of the individuals who operate them.
Conclusion
While preventive measures are still crucial, integrating detection, response, and recovery capabilities ensures that when threats arise, they can be swiftly identified, mitigated, and recovered from with minimal impact.
Organisations that embrace this approach are not only better equipped to handle the inevitable but are also able to continuously improve their security posture through regular testing and iteration. By designing systems that incorporate real-time monitoring, alerting, and response capabilities, they can minimise risks and strengthen their overall resilience in the face of evolving cyber threats.
Image by freepik
