How Companies Accelerate Detection and Response

How companies accelerate detection and response

After a network intrusion, it usually takes cybercriminals eleven days to capture or encrypt data, warns Wolfgang Kurz of indevis.

Eleven days… what sounds like the beginning of a horror movie is a frightening reality for many companies. Because that’s how long cybercriminals usually need these days to capture or encrypt data after breaking into the network. Ransomware groups in particular are succeeding in shortening their value chain more and more. For companies, this means that they must become even better at detection and response.

The ransomware business is paying off. Compared to the previous year, the average ransom paid has almost doubled, rising to around a quarter of a million euros. Other studies focusing on the USA, such as those by Palo Alto Networks, even speak of ransom sums of over half a million dollars.

The booming business model is leading to an increasingly professional industry. Specialized ransomware groups have now formed, each taking on different tasks. This massively shortens the value chain. While some develop the malware, others look for worthwhile targets, spy on victims and gain access. They then sell this access in relevant forums on the Darknet. To survive in the race against this highly efficient concept, companies must prepare their systems for detection and response. Because the clock is ticking.

MDR guarantees lightning-fast response

To detect cyberattacks in time, companies need to keep an eye on all attack vectors. To this end, many have so far relied on Security Information and Event Management (SIEM). A SIEM collects log data from all connected security systems and analyzes it for discrepancies. The disadvantage of a SIEM is that every single alert has to be checked manually by the security team. This not only costs a lot of time, but also requires specialized know-how. Here, many companies reach their limits. In addition, given the mass of alerts, there is a considerable risk of overlooking dangerous events.

One effective way to reduce false alerts and improve and accelerate threat detection is SOAR (Security Orchestration, Automation and Response). Such a system correlates and analyzes enormous volumes of data within a few seconds. It draws on a wide range of internal and external threat intelligence sources to review and assess information. This way, most false positives can be efficiently sorted out. In addition, SOAR can analyze alerts automatically by applying logic stored in playbooks and processing defined workflows. Within a very short time, the company receives an overall picture of how an attack has proceeded and which systems are infected.

SOAR or Managed Detection and Response

However, integrating a SOAR into the existing security infrastructure is no easy task. Moreover, such solutions do not come cheap. For individual companies, therefore, the effort and cost are often not worth it. Especially since they still need security analysts to continuously monitor, investigate and evaluate the remaining alerts. While an automated response is helpful in some standard scenarios, the majority of measures must be individually coordinated. This is the only way to keep business operations secure.

For these reasons, it is often advisable for companies not to operate their own SOAR. Instead, it makes sense to use a specialized provider for managed detection and response (MDR). These service providers make the SOAR technology available, already employ security analysts with the right know-how, and take over operation and maintenance of the platform. Should an intruder appear on the network, they assist in stopping the attack and taking action. With a lightning-fast security system on the cutting edge of technology, companies then no longer need to fear horror scenarios.


Wolfgang Kurz

Wolfgang Kurz

Managing Director and Founder indevis