One main objective of the European Cyber Security Act is to inform business and consumers about the security of ICT products, processes and services, through certification schemes. This webinar provides solid information about the present status of the Act's implementation.
Endpoint Detection & Response and the Feedback Loop – Webinar 25 November 2020
25 November 2020 – Cyber Security Coalition
Absence of evidence is not evidence of absence! This aphorism is more than ever valid in Cyber Security, people stating that they never had a breach probably simply do not know that they have been breached.
This presentation given by Luk Schoonaert – Director of Technology @ Exclusive Networks, Value Add Distributor of Emerging Technologies – elaborates on detection techniques and best practices in order to increase incident detection rates and collecting evidence. The importance of detection capabilities on the endpoints (EDR) is explained certainly given the fact that the visibility on network level is decreasing ironically enough due to security evolutions resulting in more and more encrypted network traffic. And moreover, thanks to EDR, response actions (isolation, cleaning) will be much easier since most EDR agents offer this possibility.
But if you want to detect something, you have to know what to look for! If you are only looking for Indicators Of Compromise (IOC), you are looking for artefacts: presence of known malware (signature based) and connections to malicious sites. You are not only reactive but will also miss a lot that is not in your signature or malicious sites databases. A complementary and even better way of working is TTP’s: Tactics, Techniques and Procedures. In an nutshell, TTP is about Behaviour Analysis searching for typical behaviour of intruders but also searching for deviations from the baseline. Machine learning and automation (SOAR) are emerging capabilities in helping here finding the bad guys.
Another dimension in Detection and Response is pro-active versus reactive. Traditional Incident Response is reactive: it is responding to a PIVOT triggered by an alert or an incident. On the other hand, when using Threat Hunting Capabilities, there is no alert, you are looking for a PIVOT, pro-actively. And thanks to a feedback loop, security architects get relevant threat intelligence from security operations to build risk models to evolve the infrastructure, operational capabilities and the overall security posture. And last but not least, to conclude, do not forget to include your business stakeholders in the feedback loop! At the end of the day, the business is responsible for the risk management and has to be in the loop in order to guarantee security by design!
Other blog posts
This session of the Privacy Focus Group provides a valuable and practical primer for acquiring more insight in the issue of international data transfers after Schrems II and Brexit.
The webinar teaches you that information security must be handled in a structured way. Three Coalition members explain how frameworks such as CISM, NIST and ISO 27001 certification can support you in your role as CISO.
Audits strengthen business operations, yet many organizations are fearful of the process, rather than seeing the benefits of audits. In this webinar, you get better insights in the auditing process and how you can use audits to strenghten and mature your overall risk programme.
This webinar focuses on the context of information security through governance, more particularly on the key role of the CISO and the value of COBIT as a digital governance framework for information security activities supported by the presentation of a best practice.