Absence of evidence is not evidence of absence! This aphorism is more than ever valid in Cyber Security, people stating that they never had a breach probably simply do not know that they have been breached.

This presentation given by Luk Schoonaert – Director of Technology @ Exclusive Networks, Value Add Distributor of Emerging Technologies – elaborates on detection techniques and best practices in order to increase incident detection rates and collecting evidence. The importance of detection capabilities on the endpoints (EDR) is explained certainly given the fact that the visibility on network level is decreasing ironically enough due to security evolutions resulting in more and more encrypted network traffic. And moreover, thanks to EDR, response actions (isolation, cleaning) will be much easier since most EDR agents offer this possibility.

But if you want to detect something, you have to know what to look for! If you are only looking for Indicators Of Compromise (IOC), you are looking for artefacts: presence of known malware (signature based) and connections to malicious sites. You are not only reactive but will also miss a lot that is not in your signature or malicious sites databases. A complementary and even better way of working is TTP’s: Tactics, Techniques and Procedures. In an nutshell, TTP is about Behaviour Analysis searching for typical behaviour of intruders but also searching for deviations from the baseline. Machine learning and automation (SOAR) are emerging capabilities in helping here finding the bad guys.

Another dimension in Detection and Response is pro-active versus reactive. Traditional Incident Response is reactive: it is responding to a PIVOT triggered by an alert or an incident. On the other hand, when using Threat Hunting Capabilities, there is no alert, you are looking for a PIVOT, pro-actively. And thanks to a feedback loop, security architects get relevant threat intelligence from security operations to build risk models to evolve the infrastructure, operational capabilities and the overall security posture. And last but not least, to conclude, do not forget to include your business stakeholders in the feedback loop! At the end of the day, the business is responsible for the risk management and has to be in the loop in order to guarantee security by design!

Share this useful content with friends:

Follow us on social networks:

Other blog posts

NIS-2: Where are you?

In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.  

SANS Experience Sharing Event

The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.

Privacy Focus Group – Practical AI Use Cases

It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.

30 November: Computer Security Day: Ada Lovelace

On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.

Share this useful content with friends:

Follow us on social networks: