Reducing the Critical Time from Incident Detection to Containment

Transcription

1 White Paper Reducing the Critical Time from Incident Detection to Containment By Jon Oltsik, Senior Principal Analyst May 2014 This ESG White Paper was commissioned by Bradford Networks and is distributed under license from ESG.

2 White Paper: Reducing the Critical Time from Incident Detection to Containment 2 Contents Executive Summary... 3 Enterprises Are Responding to New Threats... 3 Systemic Problems Remain... 4 Incident Detection/Response Demands an Architectural Approach... 6 Bradford Networks: Network Sentry/RTR... 8 The Bigger Truth... 9 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at

3 White Paper: Reducing the Critical Time from Incident Detection to Containment 3 Executive Summary After years of settling for good enough IT security, enterprise organizations now realize that this is no longer an adequate approach. This change of heart can be directly linked with the recent wave of sophisticated malware, targeted attacks, advanced persistent threats (APTs), and visible security breaches occurring over the last few years. Rather than settling for the required coverage that demonstrates internal and external compliance, business executives are now asking tough questions about cybersecurity risk and are even willing to throw money at the problem. CISOs are quite willing to increase budgets to address the new types of threats, but are they taking the most appropriate actions? If not, what types of solutions should they look for to improve risk management, and incident prevention, detection, and response? This white paper concludes that: Enterprises are changing their behavior based on urgent new requirements. Aside from bolstering information security budgets, many enterprises are consolidating the management of their security tools into a Security Operations Center and are turning security analysts into dedicated malware, cybercrime, and forensic experts. This highly specialized staff is embracing new types of advanced malware detection/prevention (AMD/P) appliances that detect incidents in motion by monitoring for suspicious or rogue network traffic. A tactical approach to incident detection/response will not be enough. While doing something is better than nothing, tactical changes can only result in marginal improvement. Why? Many large organizations face systemic problems associated with a shortage of advanced cybersecurity skills, silos of responsibility, and incident response processes that glue together information from an army of disparate point tools. These fundamental issues are creating a severe bottleneck that prolongs the adverse impact associated with emerging cybersecurity threats. Technology solutions must be based upon integration, shared intelligence, and workflow automation. Large organizations can t address these systemic issues with more point tools, so what types of solutions should CISOs look for? ESG believes that incident detection and response technologies require a new level of integration to create an end-to-end architecture for data exchange, shared analytics, and granular policy enforcement. This integrated architecture can help organizations improve security across a closed-loop cycle of risk management, incident prevention, detection, and response. An integrated and correlated architecture that encompasses incident response, security alerts, and endpoint visualization, access, and security (EVAS) can help organizations overcome their current challenges with skills shortages, silos of SOC and NOC information, and manual triage processes. Furthermore, this architecture can result in a series of benefits helping organizations lower risk, improve security, and streamline IT security operations. Enterprises Are Responding to New Threats Over the past several years, enterprises have faced an increasingly dangerous threat landscape. The volume and sophistication of attacks has increased and security breach details fill newspaper headlines, while new IT initiatives such as cloud computing, infrastructure virtualization, and mobile computing continue to alter traditional security methodology. If there is a silver lining sewn into these concerning trends, it is that executives are increasingly aware of the importance of security for the business process and they are budgeting accordingly. According to ESG research, 62% of organizations plan to increase their security budgeting in Additionally, 32% of all organizations surveyed consider information security initiatives to be one of their top spending priorities in the coming year. Just how are organizations using these increasing security budget dollars? According to ESG research, enterprise organizations are: 1 Source: ESG Research Report, 2014 IT Spending Intentions Survey, February 2014.

4 White Paper: Reducing the Critical Time from Incident Detection to Containment 4 Creating focused teams and resources for addressing malware. CISOs realize that they now need a team of highly skilled security analysts working together to understand malware threats, detect attacks, and respond as quickly as possible. Given this pressing need, ESG research indicates that 31% of enterprises have built a Security Operations Center to consolidate security tools and personnel in one place, while an additional 25% of large organizations have a SOC project underway (see Figure 1). 2 Additionally, 39% of enterprises say they have created a specific group of security analysts dedicated to malware intelligence and analytics. 3 Figure 1. Has Your Organization Built and Staffed a Security Operations Center (SOC)? Has your organization built and staffed a Security Operations Center (SOC)? (Percent of respondents, N=257) No, 13% No, my organization chose to outsource rather than build/staff a SOC, 4% Yes, we have SOC, 31% No but we are interested in building and staffing a SOC, 13% No, but plan on building and staffing a SOC within the next 24 months, 15% No but we have a project underway to build and staff a SOC, 25% Source: Enterprise Strategy Group, Getting help from service providers. Smart CISOs understand that they may not have the right staff or skills to take on cyber threats alone. To bridge this gap, 31% of large organizations are investing in incident response services to support their internal IT security teams in the event of a security breach, while 27% are hiring external experts to train the security staff on how to identify and respond to specific types of threats. 4 Implementing new layers of security controls. More than half (55%) of large organizations allocated specific security budget dollars for new types of anti-malware services and technologies in 2013 such as network sandboxes and advanced threat intelligence feeds. 5 This reflects an increased effort to defend against advanced attacks. Systemic Problems Remain While the increasingly insidious threat landscape is driving cybersecurity changes, these actions are reminiscent of the Little Dutch Boy plugging the dyke with his finger. In spite of the addition of new security products, 2 Source: ESG Research Report, The Emerging Intersection Between Big Data and Security Analytics, November Source: ESG Research Report, Advanced Malware Detection and Prevention Trends, September Ibid. 5 Ibid.

5 White Paper: Reducing the Critical Time from Incident Detection to Containment 5 organizational shifts, and help from managed/professional services, information security remains fraught with systemic problems. Tactical changes won t make much difference as long as enterprises are faced with serious incident detection/response issues such as (see Figure 2) 6 : An acute shortage of cybersecurity skills. Alarmingly, recent ESG research indicates that 25% of mid-sized and enterprise organizations claim that they have a problematic shortage of IT security skills. 7 The situation is even bleaker across certain industries. For example, 36% of government agencies, 29% of transportation and logistics firms, and 28% of financial services organizations report a problematic shortage of IT security skills. Given the severe shortage of cybersecurity talent, CISOs must concentrate their efforts on enabling the security team to work smarter, not harder. A dependence on manual processes. One of the security industry s best kept secrets is that security alerts and incident detection must be followed on by an intricate array of manual processes for further analysis of each event. Furthermore, incident response is often mired by a complex series of workflows, change management, help desk tickets, and IT operations. This hampers organizations because even efficient incident detection/response cycles can take days, weeks, or months to complete. A potpourri of security point tools and analytics. Aside from manual labor, security professionals also depend upon an army of security alerts, analytics, intelligence feeds, and reports to piece together the details about security attacks and the state of the network at any time. For example, a security alert may hint at the presence of malware, prompting the security team to dig into network packet analysis, vulnerability scanning reports, antivirus signature updates, and the endpoint patch management database. Each of these issues is certainly concerning, but CISOs should be extremely troubled by their cumulative ramifications. Under-staffed and under-skilled security teams are forced to prioritize security incidents, analyze them through an array of disconnected security systems, and then respond to the most pressing events through a series of manual investigations and operations. As if this wasn t bad enough, the ESG data also indicates that security teams will likely be distracted by abundant false positive responses. 8 In aggregate, it s pretty clear that the overall incident detection/response system is broken. 6 Source: ESG Research Report, The Emerging Intersection Between Big Data and Security Analytics, November Source: ESG Research Report, 2014 IT Spending Intentions Survey, February Source: ESG Research Report, The Emerging Intersection Between Big Data and Security Analytics, November 2012.

6 White Paper: Reducing the Critical Time from Incident Detection to Containment 6 Figure 2. Challenges with Incident Detection and Response Which of the following challenges does your organization face when it comes to incident detection and response? (Percent of respondents, N=257, multiple responses accepted) Lack of adequate staffing in security operations/incident response team(s) 39% Too many false positive responses Incident detection depends upon too many manual processes Incident detection depends upon too many independent tools that aren t integrated together Sophisticated security events have become too hard to detect for us My organization lacks the right level of security analysis skills needed Lack of adequate data collection/monitoring in one or more critical area Lack of proper level of tuning of our SIEM and other security tools 35% 29% 29% 28% 28% 28% 23% 0% 10% 20% 30% 40% 50% Source: Enterprise Strategy Group, Incident Detection/Response Demands an Architectural Approach As Albert Einstein once said, If I had an hour to solve a problem, I d spend 55 minutes thinking about the problem and five minutes thinking about the solution. Unfortunately, many organizations neglected this sage advice and opted for quick-fix tactical incident detection/response solutions. These tactical moves may have provided nominal improvements, but they failed to address the more systemic people, process, and technology issues. So what s needed? Incident detection/response technologies must become more aware of the state of network infrastructure and connected endpoints at all times. This will require a new level of interoperability between advanced malware detection technology and EVAS for continuous monitoring. Bridging this gap into a cooperative technology and seamless workflows requires: Tight integration. When incident detection devices trigger some type of alert, security analysts will need to know the location and which specific endpoints were active at the time to add context to the alerts. This requires tight integration between incident detection and network and endpoint visibility, access, and security (NEVAS) systems that can align this data from a historical and up-to-the-minute perspective. To cover all bases, continuous monitoring systems must be able to recognize the network infrastructure and the endpoints such as printers, IP phones, and mobile devices that could be used as a beachhead for malware propagation. Visibility into non-pc devices will grow increasingly important as organizations embrace IP-based sensors for Internet of Things (IoT) visibility. In any case, incident detection alerts can become more actionable if they can be correlated with detailed information about the location, endpoint, and user connected to wired switches, wireless networks, and VPNs. Deep visibility. Knowing the endpoints accessing the networks is a start, but security analysts need a lot more data about device types, configurations, applications, and security status. Furthermore, it s critical to map each device and IP/MAC address to actual users in order to investigate suspicious behavior or actual insider attacks. When incident detection and EVAS systems share and analyze this detailed data, security alerts can become more actionable because they are correlated with profiles of every device connected to wired switches, wireless networks, and VPNs.

7 White Paper: Reducing the Critical Time from Incident Detection to Containment 7 Correlation and analytics. In Figure 2, 35% of security professionals identified too many false positives as one of their organization s biggest challenges with incident detection/response. 9 Indeed, false positives are especially frustrating because security analysts are struggling to keep up with the volume of security alerts and simply can t waste valuable time and resources chasing incident detection red herrings. Incident detection and EVAS technology integration can be used to apply in-depth context to security alerts in order to vastly improve event filtering and correlation. How? Alerts can be cross-correlated with EVAS data to identify an actual compromised endpoint, greatly reduce false positives, and accelerate remediation activities. Automation for incident response. The marriage of incident detection and EVAS technologies can help security analysts pinpoint problems, but what then? Given the current reliance on manual processes, security analysts are often forced to open a trouble ticket or bring in the IT operations team to craft a remediation plan. This plan can take hours to create and even longer to execute, increasing the risks and potential damages associated with a security breach. Additionally, security and IT operations teams may be overwhelmed with remediation tasks if multiple systems are compromised at once. To overcome this manual and time-consuming slog, EVAS can be used to enforce security policies through its network access control features. For example, an endpoint transmitting encrypted packets to an IP address in the Ukraine can be instantly removed from the network, while a zombie PC can be redirected to a remediation VLAN for immediate cleanup. ESG believes there is a before and after scenario here. In the before case, incident detection technology is added tactically to the network. Yes, it can be effective at detecting advanced malware attacks, but there is still a lot of manual and tactical work necessary to investigate the alert, put it in context, determine whether it is real, triage and prioritize it against other activities, and execute a remediation plan (see Figure 3). Figure 3. Tactical Incident Detection versus Incident Detection/EVAS Integration Source: Enterprise Strategy Group, Source: ESG Research Report, The Emerging Intersection Between Big Data and Security Analytics, November 2012.

8 White Paper: Reducing the Critical Time from Incident Detection to Containment 8 Bradford Networks: Network Sentry/RTR A number vendors in the market offer integrated partnership portfolios aimed at improving context, communication, and response between different technologies. Security professionals want integration and automation, but a crowded market has made it difficult to separate technology claims from proven technology capabilities. What should they look for? ESG believes that the strategies and priorities outlined in this paper could be an effective reference point in evaluating integrated security response portfolios. One vendor that meets much of the criteria listed here is Bradford Networks, a privately held security company based in Boston, Massachusetts (USA). Bradford recently introduced its Rapid Threat Response (RTR) technology designed to integrate its offering with incident detection technologies from industry leaders such as FireEye, Fortinet, and Palo Alto Networks. In this way, Bradford actually extends EVAS to the network to create network and endpoint visibility, access, and security (NEVAS). Network Sentry/RTR leverages its Live Inventory of Network Connections (LINC) and customized integrations to automatically correlate high fidelity security alerts with compromised endpoints. By automating the complex incident response triage process, Network Sentry/RTR minimizes the risk to assets and intellectual property, protects the brand, and reduces the impact, time, and costs of dealing with cyber threats. In this way, Bradford s RTR solutions provide incident detection and NEVAS technology integration that can actually take organizations beyond basic support and enable CISOs to build and automate an efficient methodology that extends across a closed-loop lifecycle including risk management, incident prevention, incident detection, and incident response (see Figure 4). In this way, large organizations can address their current incident detection response challenges (i.e., skills shortages, false positives, point tools, etc.) and achieve benefits by automating policy enforcement, streamlining IT operations, and minimizing the potential damage of security breaches. Figure 4. Bradford Networks: Incident Detection/NEVAS Integration Covers the Security Cycle Source: Enterprise Strategy Group, 2014.

9 The Bigger Truth White Paper: Reducing the Critical Time from Incident Detection to Containment 9 Increasingly effective malware, the blurring line between network and endpoint security, BYOD, and the IT security skills shortage are combining to make cybersecurity a more pressing need than ever. While prevention has historically been the focus of most organizations, there is a continued shift toward focusing on detection and remediation that is impacting the market. Regrettably however, many CISOs continue to take a tactical approach to address the insidious threat landscape. They buy products, consolidate tools into SOCs, and shift around personnel, but fail to deal with systemic problems associated with incident detection and response. So what s needed? Solutions that can really address common issues around security skills, manual processes, false positive alerts, and disconnected security point tools. This requires new levels of integration, intelligence, analytics, and automation. Bradford Networks solutions provide an essential piece of this puzzle, offering a Live Inventory of Network Connections and real-time policy enforcement for risk management and rapid response. Combined with leading incident detection tools such as FireEye, RTR can actually increase Bradford s potential value to enterprise customers by helping them pinpoint vulnerable systems, identify compromised systems, and accelerate containment. In this way, Network Sentry/RTR can help lower risk, improve incident detection/response efficiency, and streamline IT security operations.

10 20 Asylum Street Milford, MA Tel: Fax: