Detection, an advanced security concept you can use now

The role of detection in a security stack

This is a simplification, but think of your organization’s cybersecurity as being about two ideas: detection and defense.

For years the mainly-deployed cybersecurity was defensive. This meant:

• having reliable backups for any number of reasons that you lose your data
• encrypt stored data
• antivirus software that was kept updated by the developer to ID a virus that entered onto your systems
• updating your software (patching)
• using strong passwords
• MFA (multifactor authentication) i.e. a website verifying it’s you by sending you an email or similar

Deployed right all are valid. In fact these are considered to be the basic obstacles to criminal intrusion¹. But, they are something like just the earlier stone wall in the picture, above, before the windowed lookout was added. A wall is tough to penetrate – it represents brute strength. But it’s time for more.

Today, it’s affordable and necessary to add detection-first security. It’s why right along Bryley has pushed for risk assessments and penetration testing – going through these processes informs about where your actual weaknesses are, so you can apply brains to fix what is actually likely to go wrong.

In this series we’ll look at both detection and defense approaches to cybersecurity – to find where they can add security and so peace-of-mind to running your computer systems.

Dark Web Monitoring

Dark Web Monitoring may seem simple, but it can hold great value for an organization. At its root, Dark Web Monitoring software is trained on message boards and marketplaces where criminals connect on the internet. The software can be set to find evidence of your organization’s email addresses being traded by the criminals. Email addresses are typically part of stolen databases and often come paired with passwords and maybe more (like usernames or social security numbers).

The reason it’s important to know: a leaked working email address and a password are the criminal’s starting point. Bots are employed to test stolen credentials across millions of sites — banks, cloud accounts, social media. MFA will block many of these. But the email address still has value as attackers use it to build a profile.

Criminal AI tools scrape your company website, LinkedIn and those public data-broker sites. These are stitched together in a spreadsheet with the leaked credentials. The result is enough to impersonate your CFO, a supplier or a colleague by phone or email. It’s convincing when the attacker goes in knowing names, roles and relationships.

This is can lead to business email compromise (BEC) with $2.77 billion losses in the US in 2024².

Security Awareness Training

Tech leaders get fooled³. I just wrote about a scam awareness instructor that got fooled⁴.

Yes, there are petty con artists, but in many cases, we’re up against professionals with quotas for how much money needs to be collected from us. So they are good at what they do, and what they do is steal.

Every employee needs regular training about the evolving red flags, and to learn disengagement tools to break off the scam before revealing company data.

Employees are the primary entry point for scammers. People get tricked. And it’s getting harder to not be tricked with an internet on which you really can’t believe your own eyes any more.

Security Awareness Training includes classroom sessions, learn-at-your-own-pace cloud-based modules and phishing simulations.

SIEM (Security Information and Event Management)

Many times businesses don’t know they’ve been breached. That happens months later and comes via a third party notice. The gap between intrusion and detection is when the damage happens: credentials get stolen, data is exfiltrated and/or systems access is sold.

A SIEM system can shut that window of time. It combines logs from across your systems — email, endpoints, cloud apps, your network — and flags what doesn’t seem consistent with normal behaviors. Like a login from an unfamiliar country at 2 AM. Or an employee account retrieving a type of file it hasn’t before.

SIEMs once were the strict domain of large corporations’ security teams. But there are now available cloud-based SIEMs. And a Managed Services Provider (like Bryley) can handle the monitoring, triage and response so the systems visibility and knowledge of what to do with the logged data is available to smaller organizations at a budgetable monthly cost.

EDR (Endpoint Detection and Response)

EDR is at its roots AI software installed on a desktop or laptop computer that performs real-time analysis of what’s happening on the machine. The AI has the ability, depending on how its configured, to stop processes if it deems them dangerous.

Because of the evasiveness of criminal attacks, the presence of an EDR software guardian on employees’ devices is a great advantage over just having signature-based antivirus and anti-malware. These latter two are not obsolete – most attacks are relatively straightforward viruses or malware whose files can be recognized and quarantined. But there are new and emerging attacks that bypass traditional software.