Detection and Response: The cybersecurity imperative

Let’s face it, when it comes to building a solid cybersecurity program, defense alone isn’t enough. Eventually, despite the best of skills and intentions, an attacker will find their way in. While few would argue that statement isn’t accurate, surprisingly few organizations have put in place to adequate response for when the inevitable does happen.

 

Enterprises are identifying more breaches. The 2015 US State of Cybercrime Survey, which was sponsored by PwC, CSO, the United States Secret Service, and CERT (a division of the Software Engineering Institute at Carnegie Mellon University) found that small businesses found fewer incidents than large enterprises by a factor of 31.

 

While large enterprises are finding more incidents, they are all too often finding them weeks, months, and even years after the initial date of infection.

 

All businesses would benefit by finding and reacting to breached systems more quickly. By being able to quickly determine the nature and cause of a breach, enterprises can not only stop the data bleeding in front of them, but also more intelligently stop future incidents through the increased visibility into how their defenses broke down.

 

Fortunately, more organizations are coming to realize that they have to monitor for indications of compromise and respond to breaches much more diligently than most probably do today. And the ability to be able to spot indicators of compromise such as virus signatures, certain hardwired Internet addresses, and other indications requires a comprehensive view of the enterprise environment as it actually is.

This view includes the context of what types of business data are at risk for any given threat or vulnerability (as discussed in our threat modeling post). It’s not enough to watch intrusion detection systems, firewall events, network logs, and others independently and expect to have a clear or complete picture of the reality within the environment.

 

Enterprises need to aggregate their security related data and be able to view this data comprehensively so that they can identify malicious actions and suspicious activity. This requires the ability to manage a lot of data, to be sure, but the ability to successfully analyze that amount of data will provide unparalleled view into enterprise risk, the effectiveness of in place security defenses, and the insight necessary to detect and respond to fast-moving and advanced threats.

 

With these efforts in mind, many enterprises are turning to new and established information security toolsets to spot attacks. A sizable percentage are still turning to log management tools, security information and event management systems, and similar technologies so that they can better correlate events in the environment and identify crucial alerts when attacked. Others are investing in breach detection systems that try to use machine learning to provide and understand system behavior to identify malicious behavior.

 

No system is foolproof, but intelligently looking for breach indicators is certainly better than not looking. Some of the types of activity security teams should always be on the lookout for include anomalous egress (outbound traffic), weird logon and authentication issues, suspicious registry or system changes, denial of service activity, strange traffic to unusual Internet addresses and such. Looking for data that points to unwanted activity is essential to being able to identify attacks while they are in progress and take the immediate steps needed to disrupt the attack and stop any further damage. Actively looking for indicators of compromise is a big switch from the typical focus of blocking and never looking for potential successful attacks. Not wise.

 

It’s also a major flip from traditional approaches to forensics, which are primarily a postmortem and evidence collecting activity. Even worse, many organizations when breached don’t ever look to see how they were breached, or what the attackers may have been looking for. If they have a comprised end point, for instance, they will clean the system or push a fresh image without any investigation what systems the breach may have impacted. No investigation, just move on.

 

At a minimum, when a system is breached, the system should be analyzed for indications of whether the breach was part of a larger attack, such as if the endpoint used as a stage to attack other systems, and how the system became infected in the first place.

 

What happens if it’s discovered that a serious breach is underway? It’s then time to call in the incident response team. According to experts I’ve interviewed over the years, the data breach incident response team should be small. It needs to have participants from IT management such as the CIO, the CISO or equivalent, as well as legal, until the full nature of the breach comes into view. Once the picture is clear and the breach is significant, it’s time to inform business management long before any public announcement. Once the full nature and magnitude of the breach is known, it’s time to start making the painful, but necessary public disclosures if called for by regulatory mandates or determined to be necessary.

 

When it comes to serious breach response, having the right relationships with organizations that can help with the response is vital. This includes local and national law enforcement, outside legal counsel, internet service providers, industry emergency response groups and others.

 

It’s not an easy task to be sure, but neither is having to endure a significant data breach.