Petr Springl, Senior Director, Software Engineering at Progress, tells us it’s vital for CISOs not only to defend but to plan for when a threat actor will breach cyberdefences.
As tech environments grow more complex, cybercriminals constantly seek new avenues to break through corporate defences. The National Cyber Security Centre reported that it responded to 50% more nationally significant incidents and three times as many severe incidents in 2024 than the previous year. This means it’s vital for CISOs not only to defend but to plan for when a threat actor will breach those defences.
Organisations require a solution that rapidly detects unusual behaviour, mitigates attacks, expels attackers and enables recovery from any damage caused. Central to this approach is having a unified approach to data security. Organisations using reliable network detection and data protection solutions can better spot and recover from attacks. By leveraging Machine Learning and advanced automation to identify suspicious behaviour, these organisations can reduce the time it takes to detect and recover from threats.
Beyond financial impact: The increasing costs of a data breach
The costs and consequences of a data breach are escalating. According to the annual IBM Cost of a Data Breach Report, the average cost of a data breach in the UK rose to £3.58 million between March 2023 and February 2024 – 5% higher than the previous year.
The disruptive effects of these data breaches on their target businesses are not only driving up costs but are also extending a breach’s after-effects. IBM’s report revealed that a full recovery took more than a hundred days for a majority of breached organisations that were able to fully recover.
Beyond the financial impact of containing the incident, organisations can face the costs of significant IT work needed to investigate the vulnerabilities that led to the breach. There is a hefty price tag to recover damaged systems and heighten security measures to help prevent reoccurrence. There may also be regulatory fines for non-compliance along with costs to rebuild a damaged reputation.
Building a multi-layered cybersecurity defence infrastructure
An effective security architecture must be a complex, multi-layered system designed to improve defences against multiple attack vectors. Since no single solution can provide complete protection, it requires a perfect blend of tools and strategies. Crucially this must include Network Detection and Response (NDR), Security Information and Event Management (SIEM) systems and additional tools such as traditional border firewalls, intrusion prevention systems (IPS), web application firewalls (WAFs), multifactor authentication (MFA), privileged access management (PAM) and network micro-segmentation. This combination of advanced detection and data protection and recovery solutions creates a robust threat defence.
CISOs should also consider implementing a Zero Trust Network Access (ZTNA) framework and software-defined wide area networking (SD-WAN).
Minimising the attack time
With the average time it takes to detect a breach taking over 100 days, this gives attackers ample time to discover and exfiltrate data from a breached network. Therefore, it’s essential to minimise the time attackers have to steal this data. Decreasing the time between network compromise and detection from months to hours is critical to reducing a breach’s impact. This is where an advanced NDR solution comes into play.
When attack activity is detected, the next step is to help prevent lateral movement by the attackers or their software within the network. Once the defenders respond to the attackers with well-prepared incident response plans, teams can swiftly isolate and help remove network threats. This cuts off the attacker’s access and prevents further damage.
Breaking the attack chain
The cyberattack chain, also known as the cyberkill chain, is a framework that outlines the steps or stages involved in a cyberattack. It is crucial to understand the cyberkill chain is for effective defence, which occurs in seven stages: Recon, weaponise, deliver, exploit, control, execute, maintain.
A toolset that combines early network threat detection with robust data protection and recovery capabilities creates a thorough defence that spans the entire attack lifecycle. This gives backup administrators unprecedented visibility into potential infections, empowering them to take prompt action to help secure systems and data.
This dual-pronged strategy involves:
• Killing in the early stages of the attack chain
A robust network monitoring tool will leverage its advanced NDR to identify potential threats before they gain traction. With AI-powered analysis of network traffic, this will identify any anomalies that standard security tools may overlook.
A solution with smart prioritisation capabilities will enable security teams to focus on the most critical alerts amidst the noise of regular alerts. Automated analytics continuously monitor for suspicious network behaviour so even the slightest changes can be detected. This allows you to identify when an attack is in progress so you can contain the breach and minimise its impact.
• First-class backup and recovery
Modern backup and recovery solutions enable organisations to quickly restore systems and data to a clean state, minimising downtime and data loss after an attack. Every minute of downtime can contribute to significant financial losses.
The most thorough solution will provide backup and recovery across on-premises, cloud and hybrid environments. Its flexible deployment options support virtual machines, containers, physical and SaaS deployments, helping protect an organisation’s data regardless of location. With a recovery orchestration feature, tech teams can automate disaster recovery planning and testing so that they can quickly bounce back, should an incident occur.
It’s important that native APIs can enable more seamless communication with the advanced network monitoring tool. This means that immediately after a threat is detected, it will flag to the recovery system details, including timestamps, IP addresses and hostnames of affected systems. Any potentially compromised backups and subsequent backups are flagged until the issues get resolved.
Powerful integration of detection and response
The best approach to counter today’s cyberthreat actors is by implementing next-level threat detection and response. This means unifying security and data recovery to create more seamless and robust cyberdefences and recover data rapidly.
Throughout the detection, cleanup and restoration process, continuously monitoring network traffic with NDR remains vital. This way, an organisation will effectively defend across the entire attack lifecycle, mitigating threats and recovering data rapidly.
