17.01.2022 | Bruno Blumenthal
Identify and Protect before Detect and Response
In recent years, it has been recognized that it is no longer enough to simply take preventive protective measures against cyber attacks. The detection of cyberattacks and the rapid response to attacks have increasingly come into focus, not least due to standards such as the NIST Cybersecurity Framework or the ICT minimum standard of the federal government. While it is definitely important and correct to include the detect and respond functions in a cybersecurity strategy, we are now observing a dangerous tendency to neglect the basics in the area of preventive measures.
Identify and Protect as the basis
The NIST Cybersecurity Framework and the ICT minimum standard based on it divide cybersecurity into five functions: Identify, Protect, Detect, Respond and Recover. Appropriate management of cyber risks requires an organization to be active in all five functions. While traditional standards previously emphasized the Identify and Protect functions, the NIST Cybersecurity Framework positions the Detect and Response functions as equivalent to preventive measures. The NIST CSF emphasizes that many good standards already exist for the Identify and Protect functions in particular, which continue to be important and should be applied. In practice, however, important but also somewhat tedious and less attractive cybersecurity topics such as asset management, patch management, system hardening or backup and restore are often treated somewhat neglected. Identity and access management - especially privileged access management and multi-factor authentication - is another essential topic that cannot simply be replaced with measures from the Detect and Response functions. All too often, attempts are made to conceal shortcomings in the Identify and Protect functions with measures from the Detect function. Security solution providers and managed security service providers have jumped on the trend for solutions in the Detect and Response functions and are courting customers by offering new tools (SIEM, EDR, etc.) and services in the Security Operations Center (SOC) area. Neither these new tools nor the SOC services are bad per se. Building up capabilities in the Detect and Response functions is a major challenge, especially for smaller IT organizations with few internal resources - appropriate tools and, above all, services can play an important role here.
However, the efficient outsourcing of parts of the tasks in the Detect and Response functions requires the organization to have a high level of maturity in the basics of cybersecurity. If the basics are lacking, the introduction of new tools and services usually only results in additional work for the organization without a corresponding increase in security. A lack of asset management, for example, means that the detection of security risks is inevitably incomplete and an efficient response to an attack is hardly possible. Knowledge of the criticality of the assets is also necessary in order to prioritize incidents. Applications for detecting unwanted communication connections require knowledge of the legitimate communication connections in an organization. Too many permissions on the clients and servers of an organization allow attackers to act unnoticed because their illegitimate activities can hardly be distinguished from legitimate activities.
Vulnerability scanning is introduced in many organizations as a first detection measure. However, this is of little help if there is no functioning patch management to address the vulnerabilities identified by the vulnerability scanner. As a result, the few available resources are burdened with hundreds, if not thousands, of messages from the service provider. In this case, the SOC no longer helps to detect and ward off specific cyberattacks, but can at most make the weaknesses in the Identify and Protect functions visible. However, there is often a lack of resources to rectify the identified weaknesses because they are occupied with managing the findings of the SOC service.
These are just a few examples that show that efficient and effective cybersecurity with the Detect and Response functions can only be built on a solid foundation. If the Identify and Protect functions are neglected, one can only hope that the SOC service will at least help to make the deficiencies in the defense mechanism and thus the need for action visible to management. However, a direct gain in security cannot be achieved in this way.
Cybersecurity strategy - iteratively from left to right
Appropriate management of cyber risks requires an organization to be active in all five functions of the NIST CSF. However, the cybersecurity maturity of the organization should be increased from left to right. Even if activities are necessary in all functions, it is not advisable to invest too many resources in the Detect function if the Identify and Protect functions still have major gaps. Of course, it is also not expedient to drive the Identify and Protect functions to perfection before implementing initial measures in the Detect function. An iterative approach is required, which increases the cybersecurity maturity of the organization step by step from left to right and in a coordinated manner across the individual functions. It is therefore often simply a matter of setting the right priorities for the further expansion of cybersecurity capabilities. In a targeted cybersecurity strategy, all five functions should be taken into account and weighed up against each other. The current status should be recorded and a target status appropriate to the organization and the current threat situation should be defined. A corresponding roadmap should be developed for implementation that encompasses and coordinates all functions. The following principle applies: do one thing and don’t do another.
