Every day across organizations both large and small, intrusions and breaches happen. Attackers get inside. If the organizations are fortunate, they detect and get them out before they do any damage. They remediate the situation before the intrusion turns into an official breach. But for many less fortunate, when breaches happen they can last for weeks, months, or years under the radar. Once finally discovered, the investigations can be long and painful, and they often get publicized.

We live in a world where attackers appear to have the upper hand and, on some days, even seem to be winning. It's hard to understand the current state of affairs when there is an endless number of cybersecurity vendors, service providers, and experts touting their abilities to secure organizations of all sizes.

There are many promises. Many promote 99.9% accuracy and their ability to stop all breaches. Vendors talk about their solutions having artificial intelligence (AI) and machine learning (ML) to identify unknown threats, but not too many people can really explain exactly how AI and ML work in cybersecurity. There's a lot of hype.

There is not a single vendor on the planet right now that can provide a one-stop shop of world-class technology to prevent and stop breaches. One doesn't exist. Organizations need to be able to choose best-in-class technologies that work well and integrate together no matter what company built them.

Breaches Keep Happening

According to the Identity Theft Resource Center, the landscape has not improved much over the last 15 years. With all of the protection and intelligence available contrasted against successful intrusions and breaches, something is not adding up.

The industry as a whole has not achieved the objective of preventing, or even mitigating, breaches.

We must keep in mind that while intrusions and breaches are a reality, they don't need to be devastating. One of the main reasons they often are so harmful: blind spots.

Despite security controls focused on specific areas of environments such as identity and access management (IAM), endpoint protection platform (EPP), endpoint detection and response (EDR), next-generation firewall (NGFW), data loss prevention (DLP), network detection and response (NDR), and so on, blind spots are still everywhere. All these different security controls are great for looking at the area they're assigned, but if they aren't all talking to each other, organizations are flying blind.

Attackers Love Blind Spots and Credentials

While security teams are chasing false alerts, external attackers are finding legitimate credentials already exposed, and exploiting vulnerabilities that enable them to find credentials from within the environment. Or they're using a large amount of money to entice a legitimate user to share their credentials voluntarily. Once the credentials are in hand, a bad actor can take their time to scour the environment, map sensitive data locations, and quietly create "backdoors" for future use.

If the attacker is more of the "smash and grab" type, they can carry out a flash attack, deploy malware, ransomware, or any number of damaging attacks and watch the chaos ensue.

For those rare trusted employees who goes rogue, their path to carrying out a devastating attack is much shorter. Already with an established presence, legitimate access, and user IDs/passwords inside the environment, the opportunity to prevent them in carrying out nefarious activities is often nonexistent. The only hope for organizations is the domain of detection and response.

Know Normal, Prevent, and Detect 

Security teams need to know what is normal behavior in their organization to quickly identify anything abnormal like the situations mentioned above. Right now, there is still way too much focus in cybersecurity on prevention, and not enough on detection and response. No matter how many prevention tools are in place, attackers are still getting in and insiders are still getting out. Too many security operations teams are still flying blind.

Currently, organizations will continue to experience intrusions and breaches, but what the pain and lasting consequences aren't inevitable. By incorporating the ability to determine what normal activity is for users and entities, organizations stand a better chance of detecting the abnormal and uncovering external and insider threats (whether malicious or accidental), turn the tables on the attackers, and mitigate damage. And that's true even as "normal" constantly changes.

Organizations will win when they know normal and identify what's abnormal — the breach.

About the Author

Gorka Sadowski is Chief Strategy Officer at Exabeam. In his role, Sadowski assists the executive team and functional leaders across the company. Sadowski has more than 30 years of security experience. Most recently, Sadowski was senior director and security and risk management analyst at Gartner. Prior to Gartner, Sadowski led business development at Splunk and built the Splunk security ecosystem. Prior to Splunk, Sadowski established presence for LogLogic in southern Europe, ran security activities for Unisys in France, and launched the first partner-led intrusion detection and prevention system in the industry.