While 70% of security’s efforts are focused on preventing penetration from occurring, the reality is that penetration can occur within minutes and can be close to impossible to detect. The fact is, penetration is inevitable; organized hacking teams have ample time and financial resources to penetrate a network one way or another. Hacking teams are known to have and maintain a high success rate when it comes to network penetration because of their ability to find and exploit even the slightest vulnerability.
It is human nature to accept the most obvious and easy explanation rather than suspecting that something is the result of malicious intent. This human tendency can oftentimes hinder security teams from understanding a malicious operation within their environment. Assuming that “what you see is what you get” leads to a false sense of security; there is always something more to the story.
Remediating security issues as fast as possible is very risky because you will be unable to fully understand how they are connected. Attackers will often deploy many different types of tools to make up their attack, both known and unknown. Furthermore, they will deploy decoy attacks and deploy excessive known elements to deceive and distract their defender. It will be impossible to understand a hacking campaign if you quickly remediate isolated incidents without deep investigation.
Endpoints are a common penetration point because they are known to be very vulnerable. In addition, keeping lateral movement in mind, endpoints are a great place for a hacker to deploy ‘low and slow’ techniques for these persistent threats, and learn an organization inside and out. While monitoring your endpoints can allow you to detect a cyber-attack at an early stage, neglecting your endpoints substantially decreases an organization's visibility.
Although detecting malware is important, malware is only one hacker tool; it is never the only technique deployed. Moreover, many hacking teams avoid deploying malware all together in order to better evade detection. Remediating malware one by one is not effective because it will not disable a hacker from reaching their target and it will never give you visibility to the full attack.
More than 50% of organizations reveal their concern about their security solutions producing too many false alerts. In addition, because security talent is scarce, it is impossible for security teams to properly investigate and validate their alerts through a manual process. Excessive alerts are a time soak, desensitizing security analysts and giving no insight to whether an attack is underway.