A Roadmap to Cybersecurity Maturity, Part 1: Am I Breached?

A new report from CrowdStrike® Services titled “Achieving Security Maturity: A Roadmap to Building a Robust Cybersecurity Capability,” examines the characteristics of a mature cybersecurity program — one that allows organizations to safely navigate an increasingly hazardous threat landscape — and provides guidance for how to achieve an optimal level of security maturity for your organization. This report also discusses how to maintain your security program and the importance of continuously improving your capabilities to stay ahead of today’s sophisticated and evolving threats. The journey begins by answering three critical questions: “Am I breached? Am I mature? Am I ready?” In this blog, I will discuss the first question and the factors involved in determining if your organization has been breached.

Am I Breached? — A Critical First Step

As a trusted advisor to leadership teams, CrowdStrike Services recommends making sure your house is clean before you welcome guests. In the same spirit, you want to know if you have a problem before you invest in an improvement plan because ultimately, you may be losing data and money for each day that you’re compromised. Everything else should be viewed as a secondary objective. That’s why the first part of maturing your cyber defenses is to discover if you have already been compromised. And it’s important to not only examine current incidents, but those that occurred previously in your organization. This information will allow you to develop a better sense of self-awareness as well as a strategic approach to your future security program — one that is marked by increased maturity across key functions, and the ability to exercise those capacities on a recurring basis.

A Compromise Assessment Is Key

Undertaking a compromise assessment is key to this endeavor. First and foremost, a compromise assessment is designed to identify current and past attacker activity in an environment. Second, it allows organizations to discover activities that indicate poor IT hygiene, such as cryptomining, extensive use of administrative or security technologies, or non-standard tooling for things such as VPN (virtual private network), remote access or multifactor authentication (MFA). This type of threat-hunting exercise requires experts with the skills and experience gained from many years of hunting and responding to the most sophisticated intrusions around the world, combined with powerful and innovative detection, analysis and forensics tools. All of this is focused on addressing the critical question: “Has my organization been breached?”

Dealing With the Results

When the goal is to find evidence of a breach, organizations should be prepared to deal with that information when it surfaces. CrowdStrike has worked with some organizations that, to put it bluntly, were not prepared to answer the call when the results were delivered. In these situations, customers may have felt that the compromise assessment revealed too much about their security posture — or lack thereof. For others, finding evidence of a targeted attack was the goal, and they then relied on CrowdStrike to support them in removing that threat.

Technology Is Part of a Thorough Compromise Assessment

A side benefit of conducting a compromise assessment is deploying an effective

 

endpoint security technology such as the CrowdStrike Falcon®® platform. When a threat is identified, Falcon provides an organization with near real-time visibility into the malicious actor’s current activities. In addition, Falcon allows organizations to contain these threats more quickly. What takes some organizations weeks or months, Falcon is able to do in days, if not hours: identify the threat, contain the infected machines and leverage prevention policies to keep the attack from recurring. It’s important to make sure you’re working with a provider that not only has the ability to perform incident response (IR) but also has the proper technologies to support it.

The “1-10-60 Rule”

The organizations we work with often ask us what they should aim for in building a mature cybersecurity program. We answer this question by reiterating the importance of speed to remediation and the role breakout time plays in measuring cybersecurity effectiveness. Breakout time is the window of time from when an adversary first compromises an endpoint to when it begins moving laterally across the network. The 1-10-60 rule, which CrowdStrike introduced in 2018, is based on the metrics organizations need to meet to avoid a damaging breach. The rule calls for detecting an intrusion within one minute, determining if it’s a legitimate incident within 10 minutes and deciding on next steps within 60 minutes. Using these metrics as a guideline is your best guarantee of staying ahead of the adversary and stopping a potential breach from occurring. It may not be the right target for all organizations, but it helps gauge the quality of a mature cybersecurity capability. Part 2 of this three-part blog series on cybersecurity maturity will address the question “Am I Mature?”

Additional Resources

Breaches Stop Here