Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
From reaction to prevention: The evolution of cyber security monitoring.
Cyber Security has evolved significantly over the last 20 years. Since a solution to monitor actions within networks and systems was first mentioned, this solution was called SIEM (Security Information and Event Management) in a Gartner report, as an IT tool to improve vulnerability management.
A few years later, SIEM became the heart of the SOC (Security Operations Center), from where specialized personnel perform all the necessary actions to mitigate threats or anomalous behavior before they become incidents. To do this, they take all reported events, correlate them and detect possible threats or anomalies.
However, despite technological advances and specialized devices that report these behaviors, cyber security incidents continue to increase day after day. This has generated a growing interest in monitoring that is not based exclusively on events or actions that have already occurred in the network, but that incorporates other parameters or perspectives to make detections more efficient and, above all, preventive.
One of the examples that has advanced the most and has given rise to new disciplines around cyber security and preventive protection is EDR (Endpoint Detection and Response). This concept emerged in 2010 and materialized as a development from 2013, becoming today a vital tool for organizations seeking to adopt a more proactive than reactive security model.
EDR (Endpoint Detection and Response) is an essential tool for companies today.
The reason for its importance lies in its ability to perform research directly on devices and execute predetermined actions on these detections. However, for this capability to reach its full potential, it requires a set of specific actions and knowledge, which we will discuss below.
Knowledge of the operation
As security management service providers, one of the main challenges we face on a daily basis is the lack of knowledge on the part of our customers about the functional details of their technological infrastructure. A clear example is the difficulty in identifying which devices or services are critical to their operation.
Threat monitoring and detection is based on priorities, since it is impossible to analyze the thousands of events per second that can be generated in each of the systems. However, these priorities can only be established through a proper risk analysis and a security plan that defines a clear governance of actions and priorities.
These definitions can be achieved through a specific consultancy for the detection of the “crown jewels” or the identification of priorities and critical information paths. It is possible to implement or improve monitoring mechanisms with this data, as well as use it as input to determine EDR automatic response actions, SOC analysts' responses or, in case of a more serious detection, the activation of DFIR (Digital Forensics Incident Response) teams.
One of Telefónica Tech's global SOCs
Coordination of actions
It is critical that IT and security teams are highly coordinated in their actions as EDR monitors and responds directly on each device. This avoids mutual deadlocks or false positives.
Most current EDRs generate a line of habitual behavior, allowing automatic responses to be focused on actions that deviate from this line, immediately alerting, monitoring or blocking any anomalies. Therefore, if the IT department needs to deploy new software or perform remote access to a server, it must be coordinated in advance to prevent the EDR from generating unnecessary alerts or blockages.
These actions are refined over time and depend directly on the previous point, where clear guidelines have been established on how to execute cyber security procedures and how each asset has a priority and specific policies to comply with.
Suspect analysis
We begin this article by recounting how monitoring technologies emerged and how these have not been enough to control the growth of incidents. In response to this reality, Threat Hunting was born as a pillar of proactive security, a practice that began as a theory in 2011 and that, since 2017, has become one of the most recommended and used, not only in monitoring, but also in incident response.
Its application is largely based on the capabilities provided by EDR within the organization, but depends largely on the knowledge and skills of the analysts who formulate hypotheses and perform searches.
This discipline arises to meet the need to detect anomalous behavior beyond those identified by SIEM or configured alerts, which require constant analysis for improvement, but which never advance at the same rate as threats.
SIEM has become a critical component of the SOC (Security Operations Center), where specialized personnel mitigate threats before they become incidents.
An alert may, for example, identify a connection with a high data flow to an external service that is outside the usual behavior of the network. This connection, however, could be the attacker's last step in exfiltrating information. In contrast, with Threat Hunting, all previous steps that the attacker had to execute could be detected by periodic searches or suspicious actions raised from knowledge of criminal behavior.
Using the knowledge of others
As mentioned in the previous paragraph, knowledge of criminal behavior is an invaluable database. Organizations should value and apply this knowledge in their searches, both in SIEM and EDR, to increase not only detection capability, but also improve response times.
This knowledge base is known as CTI (Cyber Threat Intelligence). Most EDR vendors and security companies have implemented this capability, but not all organizations use or value it as a source of strategic and operational cybersecurity information.
It is vital to know the steps of the different threat actors in order to plan an effective defense. This involves coordinating the security plan mentioned at the beginning, with Threat Hunting searches and automatic responses. All this is provided by CTI, completing the set of capabilities that support proactive monitoring.
Coordinating actions and understanding the operation are essential for establishing priorities and improving monitoring mechanisms.
Conclusions
In an environment where cyber threats are becoming increasingly sophisticated and frequent, traditional monitoring based on reacting to events that have already occurred has proven to be insufficient. Organizations must adopt a proactive approach that allows them to anticipate attacks, rather than simply respond to them.
Tools such as EDR (Endpoint Detection and Response), practices such as Threat Hunting and information sources such as CTI (Cyber Threat Intelligence) have become fundamental pillars for building an effective cybersecurity strategy. However, their implementation alone is not enough. To reach its full potential, it is necessary to:
- To have a thorough knowledge of the technological infrastructure.
- Coordinate teams and processes.
- Invest in training and talent.
- Integrate threat intelligence.
In short, modern cyber security requires a balance of technology, knowledge and strategy. Organizations that manage to align these capabilities with their business objectives will not only be better prepared to face today's threats, but will also be one step ahead in protecting their most valuable assets.
Cyber security is no longer an IT-only issue. It is a strategic priority that must be integrated at all levels of the organization. Is your company ready to make the leap to proactive cyber security?
