Redefining Incident Response

Transcription

1 Redefining Incident Response How to Close the Gap Between Cyber-Attack Identification and Remediation WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 1

2 Table of Contents Time is of the Essence when Mitigating Cyber-Attacks 3 The Pivotal Role Incident Response is Supposed to Play 3 Incident Response is Different from Detection and Forensics 4 Why Traditional Incident Response is Broken 4 Limited Resources 5 Manual Tools 5 Silo d Information and Broken Processes 6 Requirements for Effective Incident Response 6 The Hexadite Approach Redefining Incident Response 7 Hexadite s Benefits 7 Hexadite SWAT TM Technology Automatically Serving Your Incident Response Needs 8 About Hexadite 9 Disclaimer: The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice. Contact Hexadite for current information regarding its products or services. Hexadite s products and services are subject to Hexadite s standard terms and conditions. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 2

3 Time is of the Essence when Mitigating Cyber-Attacks Cyber-Attacks may be inevitable, but their impact doesn t have to be. Recent high profile breaches, such as those experienced by Target Corp., Evernote, and ebay, remind us of the potentially devastating effects a breach can have on the bottom line and brand s reputation. A closer look at these breaches, however, reveals failings not in the organization s ability to detect the attack, but in their ability to quickly respond and efficiently shut it down. Target s security team received alerts on the attack to their payment systems days before the attackers were able to transmit the stolen credit card data, but those alerts went by unheeded. The attackers were able to collect information for 19 days before they were stopped days that impacted more than 40 million customers and cost the company approximately $148 million. i And Target is by no means an isolated incident. The Ponemon Institute reported, on average, it takes organizations 32 days to resolve a Cyber- Attack; for insider attacks, the average time for containment goes up to 65 days. ii Not surprising, Ponemon found a direct correlation between the time it takes to contain an attack and the cost to the organization. So, why is there such a lag? A large portion of the blame is due to broken incident response capabilities. The Pivotal Role Incident Response is Supposed to Play Organizations know they are going to be attacked; they also know a month is an unacceptable length of time for an attack to go unresolved. So what is being done to close the gap? For starters, organizations are spending more on cyber security to bolster their protection capabilities. iii A survey in the beginning of 2014 found that 60% of U.S. businesses planned to increase their cyber security budget over the next 12 months. iv This explains the proliferation of security solutions being deployed throughout an organization s environment to strengthen their security stance. These solutions, including firewalls, intrusion prevention systems, anti-virus, dynamic honeypots, data loss prevention solutions, sandboxes, as well as security information and event management (SIEM) systems, and other next-generation security tools, are looking at the network traffic and end-point devices for attack patterns and anomalous activity that indicates a threat. They then send an alarm and work to contain the attack until it can be removed. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 3

4 This is where cyber incident response is supposed to come in the role of incident response and the cyber incident response team (CIRT) is to investigate all these alarms and initiate an appropriate response that contains and remediates the full extent of a breach. The problem is current teams and tools are overwhelmed by all these alarms from all these different detection systems and hampered by fragmented information and broken, manual processes that force a lag in resolution. This paper, examines how incident response is broken, the requirements to fix it and a glimpse at the Hexadite approach that re-imagines how incident response can be done to protect an organization s assets and image. Why Traditional Incident Response is Broken The promise of incident response is that it will enable organizations to quickly close out incidents to effectively protect their resources. Unfortunately, the incident response capabilities organizations need and the incident response capabilities that have traditionally been available fall short of that promise resulting in the headlines we have all come to expect. KPMG blames the breakdown in incident response on a combination of politics, data, tools, processes, and team; v a study by the Government Accountability Office (GAO) points to a lack of a consistent, documented approach (or response plan). vi All of which are right, but when they are boiled down, the crux of the problem is that incident response today relies heavily on expertise and manual intervention. Incident Response is Different from Detection and Forensics Incident Response picks up where detection systems leave off and supports the forensic activities post-attack remediation. What Incident Response Isn t: Incident response isn t sounding alarms incident response leaves that to the hundreds of different detection systems enterprises deploy to identify different types of attack patterns and anomalous behaviors in the network or on endpoint devices. Incident response isn t looking at damage that is for the forensics team and tools to do, as they investigate past events to understand the extent of an attack s damage. What Incident Response Is: Incident response investigates the alerts raised by detection systems to understand the extent of an attack, address and remediate it. Incident response is focused on preventing attack damage. It manages security events in realtime, making quick decisions and taking immediate actions to stop an attack from propagating and doing any (further) damage. This is because today s incident response consists of manual tools, limited resources and silo d information and broken processes that consume precious time and force organizations to make compromises that lead to elevated risk levels. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 4

5 Limited Resources An organization s incident response is only as capable as the people involved and responsible for it. In the face of finite resources, with limited advanced security expertise, an organization s ability to effectively respond to a breach can be significantly hampered. Consider that one alert can take days to investigate and resolve; a team looking at alerts a day simply cannot scale to address everything they see. It is not uncommon for larger organizations to be facing thousands, even tens of thousands, of alarms a day from all the different detection systems deployed throughout their environment. The alert volume means the team must decide which to investigate. Any time spent on low level threats or worse, false alarms, is time taken away from other, more impactful events. Yet, low level threats, such as failed user logins or a high rate of firewall blocks, may be early indicators to larger, more devastating attacks. The limited resources that organizations can dedicate to incident response force them to make tough choices around the prioritization of their investigations and ultimate attack remediation efforts choices that may end up costing them dearly. Manual Tools For incident response to work, someone (preferably someone that has experience dealing with breaches), somewhere needs to take action at some point in the remediation process to ensure the attack is resolved. They may need to initiate an investigation, hunt down a piece of information or approve a course of action all of which takes precious time that most organizations don t have. Analyzing log files and databases, which form the basis for the information involved in most investigations is often incomplete and hard to understand, forcing someone to track down other pieces of the puzzle to try to get a clearer picture. Once an attack is identified and understood, the next steps are often manual even solutions that claim to automate incident response still require someone to intervene and approve remediation steps. Incident response also relies on someone to manually document the entire process. As we all know, paperwork is often the last thing that is done, if at all, in the face of one threat after another. This means organizations tend to have to duplicate work as they try to piece together what was done in an effort to support forensic investigations and codify best practices for a response plan. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 5

6 Silo d Information and Broken Processes Information critical to an attack investigation is often silo d, based on which system it originated from in the organization. The personnel who have access to this information and the expertise to understand what it may mean are often spread across departments. Who is authorized to make any necessary changes (e.g. to the firewall rule set or network access control lists (ACLs) to support remediation can also be unclear and fragmented. It is not uncommon for incidents to be forwarded to the Forensics team to investigate. They have the expertise needed to identify the source and activity of an attack, however, their goals are different from incident response team they are focused on assessing the extent of the damage of a breach, not stopping it in real time. If the investigation is done during the forensics process, it is too late to effectively remediate the attack and prevent damage. It can be extremely difficult to ensure everyone that needs to be a part of the process is appropriately involved. Plus, because very few organizations have codified best practices, each incident is researched and a course of action decided as a one-off event, which results in duplicative activities and an inability to benefit from ongoing efficiencies. Requirements for Effective Incident Response To ensure attacks don t go by unhandled, until it s too late, organizations need automated incident response capabilities to replace manual processes and the need for human intervention. To close the gap between detection and remediation, organizations need intelligent incident response automation that can: Improve Decision Making enabling decisions to be made in advance for the best possible outcome. Without needing specific security or incident response expertise on hand, the solution should be able to leverage documentation of the best, most efficient way to appropriately respond and then remediate the breach. Coordinate Response ensuring each and every alarm is investigated. The organization should be able to rule out false alarms and eliminate large scale events that combine multiple incidents or that target multiple infected hosts, so activity can return to its normal state. Limit Attack Impacts - accelerating the close out of a breach. Solutions should be able to quickly validate, isolate and remediate an attack before it can do any damage. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 6

7 The Hexadite Approach Redefining Incident Response The Hexadite Automated Incident Response Solution automatically investigates each and every alarm to quickly identify and remediate any breaches. With the ability to pull in intelligence gathered throughout the organization, Hexadite is able to quickly identify affected devices and systems and close out breaches to protect an organization s resources. The Hexadite Automated Incident Response Solution is like having the power and intelligence of thousands of incident response specialists available to automatically neutralize any threat that comes up. The solution: Leverages Compute Power and Best Practices to Accelerate and Improve Decision Making The ability to quickly collect and analyze information that would otherwise be too time consuming or resource intensive to consider, such as data across 200 hosts, and incorporate it into intelligent decision-making algorithms to ensure the best possible outcome. Incident response best practices are codified in the logic of the system and automatically applied to help organizations optimize the effectiveness of their incident response efforts and reduce the need to invest in specialized incident response training. The easy to use solution integrates with an organization s infrastructure to ensure breaches can be handled with existing resources. On-demand reports allow an organization s team to simply demonstrate the effectiveness of their incident response activities. Hexadite s Benefits Strengthens Your Security quickly shutting down attacks and ensuring each and every alert is investigated to uncover hidden threats and protect against breaches that may otherwise go unhandled. Increases Your Productivity maximizing the effectiveness of your team with automated incident response processes and best practices - never again will you waste time investigating false alarms or spend hours trying to understand and mitigate the extent of a breach. Reduces Your Costs simplifying operations and minimizing damages and recovery times from attacks through rapid incident resolution. Maximizes Investigations to Ensure an Effective Coordinate Response The ability to investigate hundreds, even thousands, of alerts at once ensures nothing gets by and each and every alert is handled. Everything is checked, from low level threats to large scale events to enable the rapid identification and mitigation of threats facing the organization. Reduce the Time to Close Incidents by Up to 95% to Mitigate Attack Impacts The ability to close the window of opportunity for attackers with dynamic mitigation of all types of attacks, including advanced persistent threats (APTs) saves organizations the time and resources associated with recovering from a successful breach. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 7

8 Hexadite SWAT TM Technology Automatically Serving Your Incident Response Needs The foundation of the Hexadite Automated Incident Response Solution is Hexadite s SWAT TM Technology, which is a powerful combination of proprietary intelligent algorithms and tools designed to quickly and effectively uncover and remediate hidden threats. SWAT TM Technology From Alarm to Mitigation Alerts Generated Parallel Investigations of All Alerts Threat Containment and Remediation The SWAT TM Technology receives alerts from all the different detection and security management systems throughout an organization s environment and begins to analyze them to determine whether they are threats or false alarms. SWAT TM s unique ability to conduct parallel incident investigations, ensures that nothing goes unhandled. To understand exactly what is going on, the SWAT TM Technology actively gathers and analyzes additional information from other endpoints and network devices, as well as Hexadite's threat intelligence cloud, which includes a repository of threat feeds, analysis logic and partner APIs, to develop a holistic, contextual view of the threats facing the organization. SWAT TM can then determine what targeted mitigation action to take, such as close a connection, kill a process, quarantine a file, change a firewall rule, and more, based on incident response best practices to stop the full extent of the breach. Depending on the level of control an organization requires over the remediation actions, the Hexadite solution can be deployed in a fully automatic or semiautomatic mode. There are default best practices that come with the solution, as well as options for the organization to apply custom logic. Once remediated, SWAT TM will validate the effectiveness of the actions taken and ensure the window of opportunity for attackers has been closed. SWAT TM can confirm remediation activity was fully performed and successful. For example, it can determine whether a user negated the action on their device or associate a new alarm on the same threat from a detection system. As a result, organizations can confidently close out incidents and reduce the damage and disruptions from successful breaches. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 8

9 About Hexadite Hexadite is changing the way cyber incident response is done, with the first fully automated incident response solution that enables customers to rapidly investigate and close out all cyberalerts, in minutes, instead of weeks or months. The Hexadite Automated Incident Response Solution maximizes a customer s ability to investigate alarms to understand and remediate the full extent of a breach. Through proprietary, intelligent automation organizations can increases their team s productivity, reduce ongoing costs associated with investigating and recovering from attacks, and strengthen their overall security. For more information, please visit i Target Puts Data Breach Costs at $148 Million, Forecasts Profit Drop, New York Times, by Rachel Abrams, Aug. 5, 2014 ii Ponemon Institute Research Report, 2013 Cost of Cyber Crime Study: United States), Oct iii Cybersecurity Spending Reflects Limited Shift in Priority, by Steven Norton, Wall Street Journal, July 1, 2014, iv 60% of US businesses have increased cyber security spend following recent wave of Cyber-Attacks, B BAE Systems, Feb. 25, 2014 v Top 5 Reasons Incident Response is Failing, 2012, KPMG. vi Information Week 2014 Hexadite Ltd. All rights reserved. Hexadite, the Hexadite logo, Hexadite Automated Incident Response Solution, AIRS, SWAT are trademarks or registered trademarks of Hexadite, Ltd. in the United States and in other countries. All other trademarks are property of their respective owners. Hexadite assumes no responsibility for any inaccuracies in this document. Hexadite reserves the right to change, modify, transfer, or otherwise revise this publication without notice. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 9