Sluggish Incident Response: Next-Generation Security Problems and Solutions

Transcription

1 CUSTOMER NEEDS AND STRATEGIES Sluggish Incident Response: Next-Generation Security Problems and Solutions Christian A. Christiansen Christina Richmond Robert Westervelt IDC OPINION The rush to adopt technologies that detect advanced threats has resulted in an increasing flood of information for consumption by security teams. This increased volume of good information also has an increased level of noise, that is, alerts that do not represent malicious activity. This alert noise presents a challenge to already overburdened incident responders. Organizations must develop and cultivate a security program that reduces the attack surface and has the ability to quickly detect and contain attacks before they move into the next stage of the attack life cycle. The challenging hiring environment for skilled security professionals will no doubt continue to drive interest in external security services to identify threats and aid incident response. No organization has the perfect strategy. Focus should be on solidifying basic security best practices and developing and thoroughly testing incident response (IR) procedures. The strategy should significantly improve the overall security posture and speed up threat containment and remediation of targeted weaknesses. The security program may be supported with the following measures: Review and update incident response procedures. Establish roles and responsibilities and conduct thorough tabletop exercises to validate the procedures and identify any technical limitations in the response processes. Develop a program that identifies and addresses vulnerabilities and configuration issues that are common weak points targeted by criminals. Consider engaging a services provider to assist with an end-to-end breach management program designed for this very task. Consider supporting two-factor authentication for externally accessible resources and assess the state of privileged credentials throughout the environment. Identify critical systems and restrict the environment to run only critical processes and applications. Review log and event management systems and identify tools that help incident responders prioritize alerts and efficiently address threats. Use a platform that integrates log data, threat intelligence data, and incidents into one dashboard for security operation center (SOC) analysts and incident responders to work in tandem, thereby keeping all systems and actions up to date. Hire employees dedicated to incident response and provide training and skills development opportunities. Create a retention program that rewards top performers and establishes a culture that provides a technical career path and potential leadership opportunities for new employees. Additional technology and threat intelligence coupled with support from outside services offerings could help enrich security alerts with context to help responders prioritize investigation and containment efforts. May 2015, IDC #256219

2 IN THIS STUDY This IDC study is the result of discussions with FireEye, its Mandiant incident response organization, and recent interviews with SOC managers and threat analysts about how to better approach incident response management. This study identifies the issues plaguing incident response processes and provides potential solutions to these problems. It also provides an overview of the outside security services that organizations can procure to support their threat response operation. SITUATION OVERVIEW Prioritizing and addressing the growing number of security alerts is at least one of the issues challenging incident responders. It has resulted in an expanding gap between an initial compromise and the time a breach is detected. This is a growing issue as attacks take longer to discover, notification is delayed, forensics investigations are hampered, public opinion declines, and regulators/auditors take harsh actions. Targeted attacks are often multistaged, carefully planned, and are increasingly using sophisticated tools, tactics, and procedures designed to evade common defenses. Most attacks begin with a simple phishing campaign or Web-based attack to gain an initial foothold in an organization. Once a staging ground is established, attackers carefully seek to elevate privileges, often stealing account credentials to appear as legitimate users on the corporate network. These kinds of targeted strikes enable criminal groups and nation-state sponsored attackers to spider out across the whole environment. Their aim is to steal information that is valuable to them which may be credit card numbers, merger and acquisition plans, or technical design specifications. A growing number of established and emerging start-ups are coming to market with so-called advanced threat protection platforms that promise to identify, alert on, and, in some cases, even block suspicious files and behaviors that signal a potential attack in progress. FireEye, which has gained attention with its NX Network Security appliances, has helped fuel much of the attention on previously unidentified malware associated with targeted attack activity. But despite demonstrating success in identifying advanced malware and reducing false positives, details from the long list of recent data breaches, beginning with the security lapse at retail giant Target Corp. during the 2013 holiday season, suggest that incident responders continue to struggle to investigate and contain intrusions before attackers steal information. A recent IDC survey identified many of the challenges that stymie incident response. Organizations indicated that security teams manage multiple consoles for network-based threat management, with some juggling seven or more. The sheer volume of alerts is becoming a significant challenge, with some IT teams getting 10,000 alerts a month or more. With that high number of alerts, false positives may be a significant issue with some organizations, indicating that they have taken steps to minimize false positives and eliminate duplicate alerts. Separating the wheat from the chaff when it comes to identifying alerts that deserve further investigation requires dedicated focus, experienced security analysts, and is typically time consuming IDC #

3 In targeted attacks, there are three issues that cause a customer's IT security analysts to miss critical incidents: Poor visibility and context: Organizations often suffer from the lack of automated tools to measure and assign a risk score to an alert. Often, processes are also not assessed and sharpened to rapidly identify which events indicate the need for more depth. It takes a trained person to identify what needs a deeper look and to contain the issue. Overall, the analyst is blamed when a threat isn't contained, but the real fault lies in the lack of maturity in endpoint forensics, investigation tools, poor integration, and the lack of flight recorder data. Moreover, analysts sometimes lack the technical ability to correlate context across multiple attack environments versus a single failed attempt. An investigation of the most serious infections requires the completion of forensic investigations and being able to clearly communicate the compromise to senior executives and board of directors. IDC believes that by 2018, fully 75% of CSOs/CISOs will report directly to the CEO as interest in information security rises at the board of directors and senior executive level (see IDC FutureScape: Worldwide IT Security Products and Security Services 2015 Predictions Moving Toward Security Integration, IDC #253026, December 2014). Executive leadership may ask what data was potentially being sought; who the adversary is; whether it is a targeted, state-sponsored attack; or a previously identified criminal organization. Those data points are coveted information, but the details are not always absolute. Solutions: Organizations should establish incident response procedures and identify an individual who will lead the IR team. The policy should be regularly tested and updated as needed. Train analysts in identifying alerts that need additional attention. Consider reinforcing internal processes and responders by outsourcing remediation and better equipping them with SaaS analytics and iterative intelligence services that can add the context required to determine the connotation of an alert. Many security service providers now offer end-to-end breach management services that work with enterprise security staff to identify processes, people, and technology critical to an inevitable breach. These services can be purchased either as consulting engagements to develop an incident plan or as both a consulting and a retainer for incident response when (not if) the services will be needed. Limited human resources: The lack of skilled security analysts to support information security activities has been well documented and is a growing problem that has fueled significant growth in security services. IDC estimates the total worldwide professional security services (PSS) market accounted for $18.4 billion in revenue in 2014, and it is expected to reach $23.7 billion in 2019, growing at a 5.2% compound annual growth rate (CAGR) over the period (see Worldwide and U.S. Professional Security Services Forecast: The Perfect Storm, IDC #254562, March 2015). The growing complexity associated with the rapid pace of ongoing initiatives such as cloud, mobile, Big Data and analytics, and social, which collectively make up what IDC calls the 3rd Platform, has driven the need for additional IT security talent, not eliminated it. Staff augmentation can perform end-to-end breach management and provide vulnerability assessments and penetration testing, forensics, and remediation services. Solutions: Specialized vendors with managed services maintain skilled people and have visibility into attacks impacting their entire client base. Managed security service providers (MSSPs) are increasingly offering incident response retainer services, triage assistance, and phone support to address critical alerts. Outsourcing could involve simply adding monitoring services on weekends or holidays or 24 x 7 monitoring to reinforce onsite 2015 IDC #

4 personnel. Some service providers also have added dedicated response teams that can be retained when responders need assistance with a serious lapse. Inadequate follow-up to address root causes: The goal of maintaining an incident response team is not only to effectively respond and investigate security incidents. The incident response team increases the awareness about the effectiveness of the information security program and over time can cultivate a culture of security awareness within the entire organization. Remediation plans need short- and long-term strategies based on defense in depth. The security team's investigation and analysis of an attack should be followed up with recommended changes to prevent attacks from leveraging similar weaknesses throughout the organization. A high number of organizations are reviewing configurations monthly and more proactively addressing software vulnerabilities. Another issue that demands attention is the common finding from penetration testing firms that many of the environments they have probed are overly permissive. In overly permissive environments, everything talks to everything, enabling attackers to easily move laterally through networks. Overly permissive networks are easier to set up and less difficult to troubleshoot, but they create attack opportunities. Solutions: A detailed report should follow an incident investigation and contain findings about the root cause of the incident and recommend policy, process, and/or configuration changes to reduce the potential for similar incidents from occurring in the future. To solve this problem, policy is needed to constrain access and segment off critical parts of the network. In addition, turning off rarely used server and application features and components to reduce the attack surface may be beneficial. Consider modern IT management platforms designed to identify weaknesses and privileged account security and management tools to track employee privileges. FUTURE OUTLOOK Advanced threat detection products use a variety of approaches to identify zero-day threats and other advanced malware designed to evade traditional security capabilities. But their success has generated increased alerts, overburdening some organizations with limited IT personnel and budget. Some security vendors are responding by building out their internal professional services capabilities, and organizations are encouraged to contact their security vendor or channel provider for assistance. Wellestablished organizations with incident response services include AT&T, Dell SecureWorks, FireEye- Mandiant, Verizon, and NTT. Some specialized threat analysis and protection (STAP) vendors are having success identifying advanced malware and can also provide the context behind detected threats. A growing number of STAP vendors are adding automated response capabilities designed to quarantine or remove threats. In addition, emerging threat intelligence management platforms can help incident response teams organize and gain more value out of security vendor and other third-party threat intelligence feeds. It could take a period of five years or more before organizations begin to become comfortable with automating response and threat removal activities. Managed security service providers have also added incident response services, with some MSSPs adding dedicated incident response personnel in their security operation centers to provide complete incident response or triage services. IDC expects service offerings to expand over time and is seeing services extending into risk assessments, penetration testing, and other support capabilities IDC #

5 ESSENTIAL GUIDANCE Addressing security basics are a must, but organizations should also address internal processes, identify personnel that need additional training, and support and consider modernizing threat detection and response technology. Further: Consider security vendor products that play an active role in supporting incident response. In addition to forensics tools, network packet recorders, and traditional security products, a growing group of specialized threat analysis and protection vendors combine threat intelligence, data analytics, and increased visibility to identify advanced threats. Evaluate incident response management platforms that track the security incident response process and aid in remediation efforts. Modern platforms claim to integrate with incident response team workflows. Risk-averse organizations that are keeping security in-house require a comprehensive incident response plan and thorough process testing. Consider if automation can decrease the number of generated alerts and potentially reduce the workload of the IR team. Solutions like FireEye as a service can help classify and analyze risks and give subscribers access to historical information and recommendations for securing impacted systems and remediating threats. Make sure incident response plans include measures to handle a malware flood as well as a trickle. If you do produce threat intelligence, focus on quality as a priority over quantity. Where an opportunity for detection presents itself, seize it in the way that offers the greatest longevity for your efforts. Consider emerging threat intelligence management platforms that can aid SOC managers and threat analysts by organizing multiple threat feeds and making the flow of information actionable. Open source threat intelligence frameworks are a good starting point to eliminate the generally manual processes but require custom development. Emerging proprietary solutions can blend feeds, eliminate redundancies, correlate threat indicators, and visualize attack patterns to get a broader picture of adversary objectives. A hybrid approach could take advantage of SaaS platforms that add context to generated alerts. Managed security service providers add visibility and are increasingly offering professional services. MSSPs with professional services capabilities can help assist with risk assessments and provide much-needed support by helping manage determining the scope of an incident. Consider the following types of outside support: Threat intelligence services: Outside threat intelligence services that are tailored to an organization's industry vertical can help bolster the detection of advanced persistent threats (APTs), attacks are unknown, targeted, low and slow, and adaptive. They can also serve to provide additional context behind specific alerts and aid the remediation process to bolster prevention. Look for threat intelligence services that can be customized and provide timely and actionable data. Professional security services (includes consulting and integration): Outside professional services organizations can help configure and manage advanced security detection technologies to ensure that the full value of the technology is being achieved. These services can also include triage assistance with alerts, detailed forensics investigations, and postbreach assessment capabilities. Security consulting firms that specialize in breach, incident response, and forensic analysis can be placed on retainer ahead of time rather than obtaining services at a time of crisis IDC #

6 Consulting security services: Some consultative services specialize in risk assessments, penetration testing, and identifying data governance weaknesses. They may assist with developing and testing an incident response plan or help manage breach notification or disaster recovery procedures. They may also provide security awareness training to help build up a culture of security within the organization over time. LEARN MORE Related Research FireEye Continues Aggressive Expansion Strategy (IDC #lcus , September 2014) Mind the (Security Talent) Gap (IDC #251618, September 2014) Worldwide Threat Intelligence Security Services Forecast: "Iterative Intelligence" Threat Intelligence Comes of Age (IDC #246977, March 2014) Synopsis Bit9 Acquires Black Carbon as the Threat Intelligence Space Continues to Evolve (IDC #lcus , February 2014) This IDC study identifies the issues challenging security incident response activities and explores potential next-generation solutions and strategies to solve them. "High-profile data breaches in recent years have highlighted the need for organizations to find ways to better support overburdened incident responders," says Chris Christiansen, program vice president, Security Products and Services. "Many organizations are increasingly seeking outside assistance. Alerts require increased context and incident response processes need to be better planned, managed, and practiced." 2015 IDC #

7 About IDC International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications and consumer technology markets. IDC helps IT professionals, business executives, and the investment community make factbased decisions on technology purchases and business strategy. More than 1,100 IDC analysts provide global, regional, and local expertise on technology and industry opportunities and trends in over 110 countries worldwide. For 50 years, IDC has provided strategic insights to help our clients achieve their key business objectives. IDC is a subsidiary of IDG, the world's leading technology media, research, and events company. Global Headquarters 5 Speen Street Framingham, MA USA idc-insights-community.com Copyright Notice This IDC research document was published as part of an IDC continuous intelligence service, providing written research, analyst interactions, telebriefings, and conferences. Visit to learn more about IDC subscription and consulting services. To view a list of IDC offices worldwide, visit Please contact the IDC Hotline at , ext (or ) or sales@idc.com for information on applying the price of this document toward the purchase of an IDC service or for information on additional copies or Web rights. Copyright 2015 IDC. Reproduction is forbidden unless authorized. All rights reserved.