Why DFIR is the new frontier of cybersecurity

The business case for DFIR

It’s time to reassess what you think you know of Digital Forensics. It is no longer just a post-mortem investigation, no longer something to just generate legal reports, no longer about reviewing individual hard-drives. It is now a daily function; a proactive ‘always-on’ capability every business needs. It has been fully reborn as next-gen DFIR. And SOCs using these platforms are saving millions of dollars per year, not just in avoiding breach costs, but also in driving automation and efficiency throughout their security posture.

DFIR, working in concert with XDR/EDR, SOAR, SIEM, is the next paradigm of cyber security. And this is not hyperbole. Without it, organizations are forced to:

1. Continually spend more and more on their defenses to keep pace with cybercrime expenditure (i.e. typically increasing their investment at 15% every year) ³

2. And continue to suffer costly attacks (IBM found 83% of enterprises in 2022 had multiple breaches, and the average cost per breach was $4.35m) ²

DFIR Guide If you want to learn how Binalyze AIR can help with your incident response processes, download our DFIR Guide.

The status quo

Let’s dig-into the status quo. Consider that the majority of these breached enterprises will have a CISO, a SOC, and the latest EDR/XDR, SIEM and SOAR technologies. But still they are (and will continue to be) breached; the ability of these tools & accompanying processes to create an impenetrable fortress is a theoretical impossibility. 

The sheer volume of (AI-enabled) attacks, coupled with a continual evolution of attack vectors (ease, volume, newness, sophistication etc) makes 100% protection impossible. When we consider that:

1. Organizations suffer over 1,100 attacks per week ¹

2. Attacks continue to grow (at rate in 2022 of 57% in the US and 77% in the UK) ¹

3. Even if an enterprise prevents 99.9% of these attacks, that’s still 1 breach a week

4. If it stops 99.99% then that’s still 6 breaches a year. 99.999% stopped? That’s still one breach a year, and at current growth in attacks, it will be 2 breaches a year, then 4… 

The level of investment to shift from 99.9% to 99.99% is phenomenal. And still breaches are happening, each one costing $4.35m, or in the US, $9.44m.

It’s an arms race

The reason is clear: classic arms-race dynamics with both sides spending more (on better weapons & better armor) to at best maintain the status quo. In 2022 this amounted to organizations spending $260bn annually on defenses vs. adversaries inflicting cybercrime costs of $7tn. And both of these values continue to go up in constant lockstep, at 15%) ³ annually.

But what if the truism driving this dynamic (that the defender needs to be successful 100% of the time, the attacker only once) could be flipped? What if there was a technology and an approach that meant now it was the attacker who had to be perfect every time, and not the enterprise?

The route to achieving this breakthrough lies in a steadfast acceptance that there will be a breach. With this acceptance comes a new way of thinking: by focusing on what happens after the breach, it is possible to create mechanisms to neutralize the breach before any damage is done.

It is easy to see the potential of this approach: in 2022 the average time to identify and contain a breach was 277 days) ² (207 to identify, 70 to contain). In 2016 it was 271 days. Three striking things come to mind:

1. That a breach lifecycle is very long

2. That there is enormous potential to reduce the cost of a breach by reducing its lifecycle

• If the cost is $0 dollars on day 1, and $4.35m on day 277, time really matters, and there’s a lot of scope to reduce that time!

3. That there’s been no meaningful change to this lifecycle duration over the last 6 years

The reason that there’s been no change? Because vendors of cybersecurity technology don’t develop their products based on the understanding that there will be a breach. They’re developed to stop the breach. 

Doing otherwise goes against their raison d'être, and would require a fundamentally different technology and engineering approach. To highlight this fact, consider the impact best-in-class solutions and processes have on reducing the length of a breach lifecycle:

1. Fully deployed security AI and automation: 249 days (vs. 323 without)

2. XDR fully deployed vs. no XDR: 275 days (vs. 304 without)

3. Cloud security model is high maturity not started: 237 days (vs. 345 without)

Time for a DFIRent approach

None of these technologies and approaches are meaningfully moving the needle on breach lifecycles and therefore costs. Because that’s not what they’re trying to do.

This was the gap that Binalyze was born to fill, and in doing so, created the new category of next-gen DFIR.

By integrating with all existing SOC tools, and automating existing SOC processes, Binalyze’s DFIR platform AIR infuses the existing security capability with a resilience capability. 

Digital forensics used to be a reactive post-mortem activity. With Binalyze’s AIR platform, it becomes a daily practice, and an automated proactive capability. This became possible when Binalyze took what used to be a 2-day exercise (generating a forensic report), and instead condensed it into just 10 minutes. 10 minutes for fully automated remote collection of over 350 evidence types, right back to the original device installation date. Can a monitoring solution do that? Of course not, not even close, that’s not what it was built for.

Armed with a powerful foundation of digital forensic data, a large set of entirely new, automated and proactive use-cases can be opened up. For instance, you can:

1. Scale: Enable a team of 3 SOC analysts to deliver what currently takes a team of 10, by automating forensic processes and driving false-positive elimination of EDR/XDR alerts

2. Find: Uncover undetected breaches with automated comparisons of scheduled (e.g. weekly) snapshots of all critical assets, to see and assess what has changed

3. Contain: Complete end-to-end investigations, including containment & remediation, typically in under 4 hours

By getting proactive, and by automating data capture, analysis and containment, Binalyze can take average breach lifecycles from 277 days, down to 7. This is how SOCs prevent damaging attacks and save $millions per year.

Currently the defender has to be perfect every time. With Binalyze AIR the attacker has to be perfect: with over 300 evidence types automatically analyzed, it is impossible for them not to leave a trace.

To find out more about AIR, how it can change the status quo of your SOC capabilities and help maintain a more resilient cyber security posture - why not sign up for a free 14 day trial?

References

1. Check Point (link);

2. IBM (link);

3. Cybersecurity Ventures