A breach detection system (BDS) is a defensive tool designed to detect the activity of malware inside a network after a breach has occurred. A BDS can be either a hardware or software solution designed to look out for signs of threats and alert the organization to the potentially dangerous activity.
Unlike tier 1 security, such as a firewall or an intrusion prevention system that scan incoming traffic, a breach detection system focuses on malicious activity within the network it protects – using methods such as traffic analysis, decoy deployment, and violation reporting.
Business Benefits – The Case for Breach Detection
The more data you have, the more attractive a target you become. A breach detection system helps protect against Advanced Persistent Threats (APTs); a major concern to Enterprise IT as APTs are designed to infiltrate systems undetected.
Without a breach detection system, it is much easier for an intruder to move laterally within a network. Compared to traditional perimeter-based security, a BDS is capable of detecting malware and malicious actors already inside the network.
The use of BDS represents a shift in philosophy from the idea of preventing every intrusion to realising that intrusions will happen and focusing on catching those intrusions sooner.
The elapsed time between a threat actor gaining control of a device inside your network, and the breach being detected, is called the dwell time. An attacker, with an abundance of time, can systematically exfiltrate databases of credit cards and personal information with stealth, and may even be able to escape undetected.
Data breaches are a fact of life in modern information technology, but the mean dwell time is increasing, rather than decreasing, each year. If we could reduce the dwell time, from the current average of 146 days to hours or even minutes, that would significantly reduce the number of data records removed. In turn, this reduces the risk to data subjects, subsequent compensation claims and regulatory fines for breaches of data protection.
How to Reduce the Dwell Time and Collateral Damage
The dwell time should be as short as possible, preferably zero seconds!
One way to reduce dwell time is by using anomaly detection. Machine learning technology can be used by first watching and learning to establish a ‘normal’ behaviour. After this period, any anomalous behaviour will be easy for the system to spot, greatly speeding up the process of detection. This machine learning automation technique is also beneficial in detecting less obvious attacks. For example, Slow-Rate or ‘Low and Slow’ attacks (that involve traffic at a seemingly legitimate rate), are commonly found infiltrating a network unseen. Automated systems are much better at picking these up as they have a lot more contextual knowledge about the network.
Another approach is to configure and deploy decoy detection devices throughout your network. For example, the activereach BDS allows you to configure appliances (physical or virtual) to mimic one of dozens of computing devices e.g. a Windows file server, a router, or a Linux web server. Each one hosts realistic services and looks and acts like its namesake. Attackers may, for example, browse Active Directory for file servers and explore file shares looking for documents, try default passwords against network devices and web services, or scan for open services across the network. When they encounter the breach detector, the services on offer are designed to solicit further investigation, at which point the breach detector signals an alarm.
Detecting the attacks earlier helps to reduce the resulting damage to the system, and potentially prevent any assets being accessed or stolen. This includes attacks through lateral movement within a network, from a compromised employees’ credentials or a malicious insider.
Conclusion
Breach detection systems are a great additional security layer for those interested in understanding what’s happening inside their network. In our view, a BDS is essential for those organisations that are regularly targeted and want to catch intrusions as soon as they occur.
For a BDS product, rapid detection and analysis of both successful and attempted breaches are critical in halting the damage caused by potential malware infections or breaches. Compared with other network security options, breach detection systems are a great tool for detecting a host of threats ranging from commodity malware to targeted attacks from state-sponsored threat actors that would otherwise bypass traditional network defences such as next-generation firewalls and intrusion prevention systems.
The activereach HackWatchman™ Breach Detection System is a simple but effective managed alerting service designed to instantly reveal the presence of malicious insiders on compromised networks. If you are interested in finding out more, please see our page on breach detection solutions.