Like a courtroom jury, a security team must determine innocence or guilt based upon evidence. However, that doesn’t mean they’re executing a fully realized evidence-based strategy.

In short, such a strategy combines reconnaissance, analytics and response procedures that are both effective and swiftly implemented to find attackers before they have time to do damage. Evidence in the form of data is not only qualified, but quantified. Given the likelihood of more threats such as the Log4j vulnerability, teams adopting this strategy will best prepare themselves for the next frontier of defense.

But how do they know if they’re up to the challenge? They should answer the following questions to distinguish whether they actually have an evidence-based strategy in place, or whether they’re simply collecting evidence:

Are we improving upon our average overall time to respond?

It takes more than nine months to identify and contain a breach. Breaches that take longer than 200 days to identify and contain cost on average $4.87 million. This means measuring time to respond — and developing processes to improve it — has emerged as essential. Obtaining real-time or near to real-time threat intelligence is a critical aspect of this issue.

Are we effectively evaluating the flow of evidence through reconnaissance and analytics efforts?

Once an intrusion has been detected, cybersecurity leaders should focus on determining whether an event is benign or hostile. If hostile, then the flow of evidence through reconnaissance and analytics should reveal the “whole story” behind the event: “Who did this?” to identify the attackers; “What did they do?” to assess the nature and extent of the damage; and “When and where did it happen?” From there, the evidence enables teams to answer questions related to “Why?” and “How?”

Security teams cannot answer these questions without detailed evidence to distinguish normal user behavior from ill-intended lateral movement. If an incident involves the latter, richly detailed evidence can empower security to probe the activity and uncover undetermined facts.

Do we quantify – or only qualify – what our evidence covers?

Cybersecurity teams must seek to quantify and qualify evidence coverage throughout all threat surfaces to completely understand the organization’s attack scope and remediation success. Reporting on the number and type of major incidents over the past 90 days and reducing hacker lurk time can, in turn, reduce data breach effects.

Security teams striving for an evidence-based strategy can ask: Which evidence sources are lead indicators of problems? Which sources play a critical role in the ability to diagnose incidents? Did a lack of evidence lead to the inability to successfully respond to an attack and/or understand it?

While qualifying brings value, it will remain limited without strong metrics to enable us to measure the coverage — and thus, measure our risk.

Have we established operating procedures for the strategy?

To cultivate this culture, cybersecurity professionals seek to develop a standard set of operating procedures, so teams know exactly what to do for every situation the evidence reveals. These procedures should connect insights from reconnaissance and analytics observations and can be embedded into training initiatives.

Without the right evidence, a jury cannot conclude guilt or innocence. Similarly, security teams cannot make informed decisions about detection and response. They are simply relying on hunches.

Given the increasingly hostile and complex threat landscape, this is insufficient. To rise above ineffective guesswork and meet enemies where they are — and completely understand their actions and techniques — security leaders need a comprehensively conceived and well-executed evidence-based strategy.