Why Is Speed Important?
Speed is essential in incident response, “because the longer it takes for us to identify and respond to a threat, the more time somebody has to get into the network, to conduct reconnaissance, and to plan and execute an attack,” McLaughlin says.
Mardock points to an industry definition called “breakout time,” which is the time it takes the attacker to pivot off of a phishing attack or other entry point and start moving laterally through an organization. “That number is now under two hours,” she says. “We don’t have days. We have hours to respond.”
The longer an attacker can loiter undetected, “the more they can take, the more they can destroy,” McLaughlin says. “A 2022 survey by IBM and the Ponemon Institute showed the amount of time people are in the network is really problematic right now. It takes about 243 days to identify a potential breach in the worst-case scenarios.”
WATCH NOW: School technology leaders share their strategies for improving cybersecurity.
What Technologies Can Improve It?
A number of tools and technologies can improve detection and accelerate response times.
“It starts with having endpoint detection and response. These aren’t just desktop and laptop endpoints. Servers can also be considered an endpoint,” McLaughlin says. For all these, EDR tools “focus on detecting, investigating and mitigating activities on those individual host devices. That’s really important, especially when you find a tool that can do automated notification and automated response.”
It also helps to use a security information and event management [SIEM] system to aggregate incoming data and identify threats, she says.
Mardock uses the built-in Microsoft Defender with Advanced Threat Detection. “We’ve turned all sorts of things on, including tamper protection and the associated urgent notifications whenever someone tries to disable it, even someone with admin rights,” she says.
“We are also fond of honey pots or decoys, which provide early warnings when the attacker starts snooping for internal targets,” she says. This strategy involves “planting little land mines, like fake password files or fake services that they might be interested in compromising. The moment they touch those files, it lets you know.”
RELATED: Why multifactor authentication is not optional.
What Are Best Practices for Threat Detection and Response for K-12?
For Mardock, it starts with limiting user rights. “Unfortunately, a lot of schools allow people to have admin rights on the machines. That’s a big no-no,” she says.
She also urges districts to invest in automation to support 24-hour coverage. “We’re starting to leverage that ourselves with SOAR [security orchestration, automation and response] tools that remotely disable machines or accounts that misbehave, until we can follow up,” she says. “Basically, shoot first and ask questions later.”
McLaughlin says it makes sense to automate as much as possible. “It can require a bigger time investment up front to set up automation correctly, but it pays off in the long term because you’re not doing a bunch of manual repetitious work all the time,” she says.
“I would also suggest collaborating with others,” McLaughlin says. “If you can leverage your education service district or a partner organization that can work with multiple districts, that could be a really good opportunity to draw from each other’s capabilities and not have to reinvent the wheel in each organization.”