Security teams receive alerts on a daily basis, all of which indicate a potential incident. Tasked with reviewing and triaging these suspected incidents, analysts are often unable to quickly validate whether an incident is real or not, not least because they receive little context from the alert and, therefore, cannot assess the potential impact. In fact, it can often take days or even weeks to investigate, retrieve and analyse data about a threat. As a result, the most critical attacks are often detected long after vital data has been stolen, and the evidence was clearly in the logs.
Avoiding a knee-jerk reaction
In an effort to protect the network and sensitive data, when security teams find something potentially malicious, there is a temptation to have a knee-jerk reaction. This would likely see them remove the impacted system and reimage it. This is meant to be a quick fix, but probably isn’t a fix at all. Chances are that one compromised machine is just the tip of the iceberg. Wiping it clean could alert the attacker and cause them to dive deeper into your network.
Five questions security teams should ask to get their incident response capabilities in check
- What processes can be automated?
For example, can an endpoint triage package be collected based on an alert from a next-gen network device? To effectively detect and respond to a security incident, multiple complementary data sources need to be gathered and analysed as one. Reducing the number of manual steps required to piece together data from multiple sources and streamlining these workflows will shrink the time it takes to detect, investigative, analyse and resolve an incident.
- What type of threat intelligence can a team consume? Is it limited?
Intelligence is critical to increasing a security team’s ability to detect and respond to an attack. Being able to consume threat intelligence in a broad range of formats increases a team’s ability to detect, prioritise, and successfully remediate threats. Additionally, being able to apply threat intelligence retroactively, not just from the point in time it has been received is critical.
- How quickly can information be captured from endpoints to help triage an alert?
Collecting and analysing rich endpoint data using traditional methods can take hours or even days. And it often results in false positives. Automating these tasks is one of the easiest ways to reduce the time it takes and therefore improve productivity. By sourcing an initial set of data such as running processes, open network connections or recently executed applications a team can quickly validate the severity of an alert. Also, the benefits of detecting security incidents early in the attack lifecycle translates to lower costs associated with a breach and less complexity.
- Can the source of an initial compromise or how an attacker moved laterally to other systems be identified?
Understanding what happened before and after an alert provides visibility into the scope of the compromise. It also helps a security team perform a damage assessment by showing what, if anything, was taken. Traditional forensic data is difficult to piece together and often incomplete. Advanced endpoint detection and response technology that records data enables analysts to quickly query and review past events. This provides visibility and context into what happened so security teams can fully respond and eliminate the attacker.
- Can data exfiltration and lateral movement be immediately halted or can processes be ‘killed’?
Manual remediation is extremely time consuming and requires skilled analysts who are in high demand. Immediately stopping data exfiltration and isolating the endpoint decreases the time to resolve an incident and the risk of intellectual property loss. Implementing endpoint detection and response solutions, with system management capabilities, consolidates resources better and improves overall security hygiene.
Rapid Detection and Response Model
Our initial recommendations will help security teams gain greater visibility and intelligence about alerts, so detection and response to critical incidents is faster. So, how do you respond?
I recommend a Rapid Detection Response Model (RDRM):
The purpose of the ‘Identify’ step is to create situational awareness of the organisation’s threat environment. It establishes a baseline understanding of a company’s ability to manage cybersecurity risks and an organisation’s incident response maturity level.
The ‘Prepare’ step makes use of the analysis and situational awareness obtained in the ‘Identify’ step to close gaps that hinder an organisation ability to efficiently detect, respond to and resolve incidents. Many organisations have invested in a collection of security technologies, but may not be experiencing the full benefit of their investment due to poor integration, unnecessarily complex processes or unused functionality. Also, organisations often put security tools in place as a reaction to a breach instead of in preparation for one. The RDRM helps you accelerate rapid detection and response by focusing attention on technology that makes security personnel better and faster.
Advanced, targeted attacks are not instantaneous events. They involve a series of actions and multiple phases that occur over a period of time. Professional cybercriminals are so adept at cloaking their activities that they routinely go unnoticed for months and often years. They conduct detailed reconnaissance activities and, when necessary, develop custom-tailored exploits to penetrate
enterprise networks and steal sensitive corporate data, intellectual property, business plans and personal information. To ‘Detect’ security incidents early in the attack lifecycle is therefore paramount to success and lowers the complexity and associated cost compared to detecting after an organisation has been compromised.
During the ‘Respond’ step, security teams confirm, analyse and document attacks that they have detected in the previous phase. The goal is to assess the impact so an appropriate strategy to remediate and resolve the incident can be developed. This is where most organisations face severe challenges, including poor metrics for response and remediation.
Rapid detection and response is not a new concept. It’s been done by leading security operations centres and incident response teams for years through tremendous in-house efforts with dedicated programmers to integrate and automate a multitude of disparate point products. Thankfully, the security vendor ecosystem has been moving in the direction of consolidating and integrating complementary capabilities, making rapid detection and response technologies more accessible.
As organisations struggle to overcome talent shortages, keep up with modern threats and reduce risk, efficiency has become a necessity. The stakes are too high and there simply aren’t enough skilled people to continue relying on overworked, scarce experts. We believe every organisation is capable of using the RDRM to disrupt attack lifecycles and achieve a faster and more effective incident response that comes from greater visibility and context, consolidation and integration of security tools and automation of mundane steps.