Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Friday, 31 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Are your incident response capabilities up to dealing with a breach?

by The Gurus
July 4, 2016
in This Week's Gurus
Share on FacebookShare on Twitter

Are your incident response capabilities up to dealing with a breach? 
By Justin Harvey, CSO at Fidelis Cybersecurity
Security teams receive alerts on a daily basis, all of which indicate a potential incident.  Tasked with reviewing and triaging these suspected incidents, analysts are often unable to quickly validate whether an incident is real or not, not least because they receive little context from the alert and, therefore, cannot assess the potential impact.  In fact, it can often take days or even weeks to investigate, retrieve and analyse data about a threat.  As a result, the most critical attacks are often detected long after vital data has been stolen, and the evidence was clearly in the logs.
Avoiding a knee-jerk reaction 
In an effort to protect the network and sensitive data, when security teams find something potentially malicious, there is a temptation to have a knee-jerk reaction.  This would likely see them remove the impacted system and reimage it.  This is meant to be a quick fix, but probably isn’t a fix at all.  Chances are that one compromised machine is just the tip of the iceberg. Wiping it clean could alert the attacker and cause them to dive deeper into your network.
Five questions security teams should ask to get their incident response capabilities in check

  • What processes can be automated?

For example, can an endpoint triage package be collected based on an alert from a next-gen network device? To effectively detect and respond to a security incident, multiple complementary data sources need to be gathered and analysed as one. Reducing the number of manual steps required to piece together data from multiple sources and streamlining these workflows will shrink the time it takes to detect, investigative, analyse and resolve an incident.

  • What type of threat intelligence can a team consume? Is it limited? 

Intelligence is critical to increasing a security team’s ability to detect and respond to an attack. Being able to consume threat intelligence in a broad range of formats increases a team’s ability to detect, prioritise, and successfully remediate threats.  Additionally, being able to apply threat intelligence retroactively, not just from the point in time it has been received is critical.

  • How quickly can information be captured from endpoints to help triage an alert? 

Collecting and analysing rich endpoint data using traditional methods can take hours or even days. And it often results in false positives. Automating these tasks is one of the easiest ways to reduce the time it takes and therefore improve productivity. By sourcing an initial set of data such as running processes, open network connections or recently executed applications a team can quickly validate the severity of an alert. Also, the benefits of detecting security incidents early in the attack lifecycle translates to lower costs associated with a breach and less complexity.

  • Can the source of an initial compromise or how an attacker moved laterally to other systems be identified?

Understanding what happened before and after an alert provides visibility into the scope of the compromise. It also helps a security team perform a damage assessment by showing what, if anything, was taken. Traditional forensic data is difficult to piece together and often incomplete. Advanced endpoint detection and response technology that records data enables analysts to quickly query and review past events. This provides visibility and context into what happened so security teams can fully respond and eliminate the attacker.

  • Can data exfiltration and lateral movement be immediately halted or can processes be ‘killed’?

Manual remediation is extremely time consuming and requires skilled analysts who are in high demand. Immediately stopping data exfiltration and isolating the endpoint decreases the time to resolve an incident and the risk of intellectual property loss. Implementing endpoint detection and response solutions, with system management capabilities, consolidates resources better and improves overall security hygiene.
Rapid Detection and Response Model
Our initial recommendations will help security teams gain greater visibility and intelligence about alerts, so detection and response to critical incidents is faster. So, how do you respond?
I recommend a Rapid Detection Response Model (RDRM):

  • Identify

The purpose of the ‘Identify’ step is to create situational awareness of the organisation’s threat environment. It establishes a baseline understanding of a company’s ability to manage cybersecurity risks and an organisation’s incident response maturity level.

  • Prepare

The ‘Prepare’ step makes use of the analysis and situational awareness obtained in the ‘Identify’ step to close gaps that hinder an organisation ability to efficiently detect, respond to and resolve incidents. Many organisations have invested in a collection of security technologies, but may not be experiencing the full benefit of their investment due to poor integration, unnecessarily complex processes or unused functionality. Also, organisations often put security tools in place as a reaction to a breach instead of in preparation for one. The RDRM helps you accelerate rapid detection and response by focusing attention on technology that makes security personnel better and faster.

  • Detect

Advanced, targeted attacks are not instantaneous events. They involve a series of actions and multiple phases that occur over a period of time. Professional cybercriminals are so adept at cloaking their activities that they routinely go unnoticed for months and often years. They conduct detailed reconnaissance activities and, when necessary, develop custom-tailored exploits to penetrate
enterprise networks and steal sensitive corporate data, intellectual property, business plans and personal information. To ‘Detect’ security incidents early in the attack lifecycle is therefore paramount to success and lowers the complexity and associated cost compared to detecting after an organisation has been compromised.

  • Respond

During the ‘Respond’ step, security teams confirm, analyse and document attacks that they have detected in the previous phase. The goal is to assess the impact so an appropriate strategy to remediate and resolve the incident can be developed. This is where most organisations face severe challenges, including poor metrics for response and remediation.
Rapid detection and response is not a new concept. It’s been done by leading security operations centres and incident response teams for years through tremendous in-house efforts with dedicated programmers to integrate and automate a multitude of disparate point products. Thankfully, the security vendor ecosystem has been moving in the direction of consolidating and integrating complementary capabilities, making rapid detection and response technologies more accessible.
As organisations struggle to overcome talent shortages, keep up with modern threats and reduce risk, efficiency has become a necessity. The stakes are too high and there simply aren’t enough skilled people to continue relying on overworked, scarce experts. We believe every organisation is capable of using the RDRM to disrupt attack lifecycles and achieve a faster and more effective incident response that comes from greater visibility and context, consolidation and integration of security tools and automation of mundane steps.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

How SMEs can stay off hackers’ hit lists

Next Post

Paying Up: An Answer to Ransomware—or a Questionable Choice?

Recent News

Data Privacy Day: Securing your data with a password manager

For Cybersecurity, the Tricks Come More Than Once a Year

March 31, 2023
cybersecurity training

Only 10% of workers remember all their cyber security training

March 30, 2023
Pie Chart, Purple

New API Report Shows 400% Increase in Attackers

March 29, 2023
Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato Networks Recognised as Leader in Single-Vendor SASE Quadrant Analysis

March 29, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information