It has been stated many times that for most companies it's not a question of IF you will be breached, but WHEN. The good news is that being forewarned makes you forearmed. So now that you know, what will you do about it? Doing nothing won't help your company and it won't help your career either.

 An alternative (companion) approach is to accept that some bad actor will make it through any defenses you throw at them. Once you make this mind shift, now you can focus on deploying network security resilience. I have spoken about this topic before and you can read a couple whitepapers (Security Resilience—The Paradigm Shift is Here and Best Practices for Security Resilience) on the topic as well. 

 Network security resilience allows you to create an architecture to minimize the damage and cost that a bad actor can accomplish. The great thing is, there are lots of activities you can implement to help your company out in this area. Here are some examples:

• ​Capture and filter monitoring data, and then send that data to a purpose-built device(s) to look at traffic patterns and indicators of compromise (IOC)
  
• Use automation to improve response times for data captures and limit/prevent exfiltration of data
  
• Use threat simulation capabilities in your security lab to understand better how new threats behave
  
• Thoroughly test your security fixes and run "what if" scenarios to validate that you have the right fix
  
• Conduct ongoing cyber range training to keep IT personnel skills up to date to recognize specific attack signatures and attack vectors faster
  

 The first thing to do is to limit the amount of time of intrusion. The average length of time from intrusion to identification is 191 days, according to the Ponemon Institute's 2017 Cost of Cyber Crime Study. This timeframe needs to be shortened. Just adding taps and a network packet broker allows you to quickly and easily capture and filter key monitoring data. That data can then be sent to a purpose-built device(s) to look at traffic patterns and indicators of compromise (IOC) to limit the amount of time that the intruder goes unnoticed in your network. Even if you reduce the time of intrusion from 191 days to 30 days (which is still a lot), you have decreased the time from intrusion to detection by about 84%.

Application intelligence capabilities (like AppStack) can be used to identify the applications running on your network and the geolocation of data transfers within your network. For instance, maybe there is someone in Eastern Europe that has connected to your network, then connected to your FTP server in Dallas and is transferring data back to Eastern Europe. If you have no authorized users in that geographic area, this is suspicious and could very well be an indicator of compromise. Furthermore, with visual dashboards, it's pretty easy to spot. 

Automation is another key activity. Once the packet broker is installed, you can connect a RESTful interface to a SIEM or other device. This allows those devices to send commands to the packet broker and automate the creation of specific data captures. Eliminating manual intervention delays speeds up data threat identification dramatically. 

 Active SSL decryption is another activity that should be considered. While there is some effort involved to set this capability up. Over 50% of malware threats are now hidden by encryption. This is a huge potential risk that can be reduced by deploying decryption solutions (like SecureStack).

 Another form of automation is to implement threat intelligence gateways (like ThreatARMOR) that receive constant known bad IP address updates. This means that should a bad actor find a way into the network, a new updated list of known bad IP address may identify communications coming or going to that address and immediately kill that transmission path. So, a bad actor may get in but hopefully you can prevent the ex-filtration of data to that entity. If so, you have now just prevented an intrusion from becoming a breach.

Thank you to Keith Bromely from IXIA for the article