In sports, there is a saying that if the opponent cannot score, they cannot win. A similar sentiment works for cybersecurity: If the attacker cannot penetrate your organization, they cannot compromise it.
Taking that a step further, the most effective way to eliminate the possibility of a breach escalating into a business-threatening attack is to stop it before it starts — reduce your attack surface to the minimum you can so you can identify a potential incident before it gets a foothold and eliminate it.
Optimizing prevention
Today, users and data can be anywhere. Users can work from the office, airport, coffee shop, or work from home. Data can reside in the cloud, a business partner’s network, or on an employee’s mobile device. These factors and more change your attack surface. The volume of potential and successful breaches is increasing as attackers take advantage of automation, artificial intelligence (AI), and malware delivery platforms in their attacks.
Here are some interesting data points from Sophos’ survey of 5,400 IT and security professionals: 61% of IT managers report an increase in attacks on their organization in the past year. Also, the complexity of attacks is increasing. Adversaries increasingly use sophisticated tactics, techniques, and procedures (TTPs) in their attacks. Some 54% of IT managers say attacks are now too advanced for the IT team to deal with on their own.
This is why optimizing prevention is a vital part of Sophos’ endpoint protection strategy.
They say an ounce of prevention is worth a pound of cure. In the cybersecurity world, preventing a single ransomware attack could result in saving millions of dollars simply by stopping the threat before it even has a chance to enter your organization.
First, you need to reduce the attack surface, removing opportunities for attackers to penetrate your organization. Some examples of how Sophos achieves this is by:
- Blocking potentially unwanted applications
- Blocking malicious or suspect websites based on content or URL rating
- Controlling which applications are allowed to run in the organization
- Controlling which devices are allowed on the organization’s network or able to access cloud assets
- Locking down server configurations in a single click
The next step is to prevent attacks from running, using layered protection technologies to stop both the threats and the tactics attackers use, including:
- Artificial intelligence (AI)-based behavior prevention that blocks the unknown based on techniques, behaviors, and anomalies
- Behavior-based anti-ransomware technology
- Exploit prevention that stops the techniques attackers use, protecting against attacks that leverage previously unknown vulnerabilities
Last year’s Kaseya attack is a prime example of the importance of prevention — by the time the attack was detected, it was too late, and the files were encrypted. Not a single Sophos customer with our next-gen endpoint protection correctly deployed had their files encrypted in that attack.
The prevention capabilities in Sophos Intercept X endpoint protection block 99.98% of threats (AV-TEST average score Jan-November 2021). Defenders are then able to better focus on the suspicious signals that require human intervention.
Today’s sophisticated attackers often exploit legitimate IT tools and security holes to penetrate their victim’s network. Every second counts when an adversary is in your environment. Yet all too often, defenders are slowed down by an overwhelming volume of alerts, limited visibility, a lack of insight, and slow, manual processes.
By optimizing prevention, Sophos enables defenders to focus on fewer, more accurate detections and streamline the investigation and response process.
To illustrate the point, I’d like to share data from Sophos Managed Threat Response (MTR), our 24/7/365 managed detection and response (MDR) service. The mean time to detect (MTTD) the attack is less than one minute. Enriched investigation techniques result in a mean time to investigate (MTTI) of 25 minutes, and the mean time to resolution (MTTR) is 12 minutes. This results in a total time from detecting the threat to resolving it of 38 minutes.
At the end of this section should we hint that we will delve into this topic in detail in another post?
Let’s put those 38 minutes into perspective. According to the research firm Statista, the average duration of business interruption and downtime after a ransomware attack is 22 days. And that’s alongside the ever-increasing recovery costs, which have more than doubled in the past year.
Next time we will take a deeper dive into minimizing time to detect and respond.
Stop more threats, faster
In a challenging cybersecurity environment, optimizing prevention and minimizing time to detect and respond leads to much faster remediation of threats. Ultimately, it enables you to achieve better security outcomes.