Weaponizing Incident Response
Written by Lucas Zaichkowsky, Enterprise Defense Architect, Resolution1 Security
Cybersecurity solutions that reduce detection, response and recovery times are critical, but complex. That’s because they require a variety of incident analysis and management tools that are automated, tightly integrated and, ideally, managed from a central command. Few companies have the time or expertise required to implement and run such a well-integrated, comprehensive cybersecurity program. Those companies that succeed find their implementation severely hindered by inadequate integration options and cross-platform incompatibilities.
Filling the gaps that exist in today’s typical cybersecurity infrastructure should be at the top of every organization’s agenda. Corporate data theft is on the rise, as are hacking and malware attacks, and the majority of attacks are not the types of exploits that are identified easily by traditional alerting tools, nor are they easy to contain. According to the 2014 Data Breach Investigations Report (DBIR), a study conducted by the Verizon RISK Team with cooperation from 50 organizations that contributed data and analysis, including the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute, the United States Secret Service, the European Cyber Crime Center (EC3), and numerous cybercrime agencies around the world, there were more than 63,000 reported security incidents and 1,367 confirmed data breaches in 2013 (the period the 2014 study examined). Gartner estimates spending on the software, services and network security appliances used to secure enterprise and consumer IT equipment to hit $86 billion in 2016. It appears many companies are spending money to help stem the rising tide of attacks. However, the information security industry is still very much comprised of niche companies producing niche tools, and an organization looking to invest in an improved infrastructure must ensure it is addressing all security gaps that have resulted in poor detection and response times.
Misguided Spending, Slow Response and Disparate Tools = Exposure
Simply throwing money at the cybersecurity problem doesn’t increase protection, yet in previous years organizations have invested a tremendous amount of money in alerting and prevention technologies, all of which only catch what you tell them look for. It seems only recently organizations have realized that this myopic approach to security leaves them vulnerable to unknown threats and unprepared to respond in timely manner once a threat is detected.
The answer here is not to abandon prevention, alerting and event correlation tools, but to complete the equation by introducing integrated visibility and response capabilities that augment these solutions.
As the industry still recovers from its unbalanced prevention-based approach to security, few should be surprised when annual studies report dismal detection and incident response times. Majority of organizations falling prey to attacks find out about the breaches after the incident, some taking months or more to discover. It is also alarming that a high percentage of reported incidents are discovered by a third party. Response times are no better with incidents taking weeks, months or more to contain.
Lack of mature incident detection and response processes is the greatest reason for such discovery and response failings. According to the Global State of Information Security Survey 2013, only 27.2 percent of the business and technology executives surveyed said their organizations have an incident response process to report and handle breaches and disseminate that to third parties that handle data. Their inability to establish comprehensive detection, response and reporting processes is clearly due to the fact that organizations must rely on an incomplete, piecemeal technological infrastructure that is unable to facilitate the necessary detection, collaborative analysis and remediation capabilities.
Lofty talk of people, processes and information sharing has its place, but we won’t see our security posture improve until the weaknesses in defensive posturing and the underlying infrastructure are addressed.
IT security pros continue to grapple with the ever-increasing complexities of their cybersecurity initiatives, many of which are riddled with siloed security tools used by different teams within IT—tools that lack visibility, integration, automation and collaboration. This lack of integration and these siloed approaches are complex to manage, lead to slow response times, cause security oversights, and require varying skill sets, lengthy custom development and multiple screens/command centers.
Integration, Collaboration and Automation
Organizations now realize they must shift focus and investment to filling the incident detection and response gaps that currently hamstring cybersecurity and incident response professionals. Without compromising prevention, they must achieve faster, more comprehensive detection and response, dramatically increasing the speed with which they are able to triage suspected incidents, perform root cause analysis and stop the bleeding. They must vastly improve their ability to proactively assess their respective threat landscapes, assemble and share tactical threat intelligence and use this intelligence to seek out threats that have bypassed preventative defenses. Disparate teams juggling disparate tools will not accomplish these critical goals. Organizations must look to a single platform that provides integrated analysis, real-time collaboration and automation.
Such a platform isn’t a niche tool, just providing endpoint analysis, just malware analysis, just network analysis or some watered-down combination. It gives organizations full, 360-degree visibility into what is happening on all information assets (on or off the network), network communications, and can perform comprehensive malware analysis, root-cause analysis and eradication of threats. Finally it provides an unprecedented level of bidirectional integration with ever-valuable SIEM platforms to enable automated, multistage workflows for response and remediation. Integrating a holistic, rapid detection and response platform with a SIEM most effectively addresses the two greatest challenges organizations face – achieving faster, more comprehensive detection of security breaches and data leakage and achieving rapid, holistic response and remediation.
In conclusion, while organizations appear to be steadily bolstering their cybersecurity initiatives, many are still unable to detect threats that have circumvented their traditional prevention and alerting tools, their response times are too slow and they struggle with comprehensive remediation. Much of this can be attributed to disparate teams within IT juggling several disparate security tools, which impedes visibility, integration, automation and collaboration. This traditional cyber security model is riddled with detection, analysis and remediation gaps that need to be filled.