Redefining Incident Response

Similar documents
Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Attack Intelligence: Why It Matters

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Overcoming Five Critical Cybersecurity Gaps

SORTING OUT YOUR SIEM STRATEGY:

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Breach Found. Did It Hurt?

Advanced Threat Protection with Dell SecureWorks Security Services

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management

How To Create An Insight Analysis For Cyber Security

Analyzing HTTP/HTTPS Traffic Logs

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

The problem with privileged users: What you don t know can hurt you

SANS Top 20 Critical Controls for Effective Cyber Defense

Become a hunter: fi nding the true value of SIEM.

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Things To Do After You ve Been Hacked

Protecting against cyber threats and security breaches

The SIEM Evaluator s Guide

1 Introduction Product Description Strengths and Challenges Copyright... 5

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

CyberArk Privileged Threat Analytics. Solution Brief

Energy Cybersecurity Regulatory Brief

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

A COMPLETE APPROACH TO SECURITY

Accenture Cyber Security Transformation. October 2015

Persistence Mechanisms as Indicators of Compromise

Bridging the gap between COTS tool alerting and raw data analysis

The Hillstone and Trend Micro Joint Solution

IBM Security IBM Corporation IBM Corporation

Cyber Governance Preparing for the Inevitable Perimeter Breach

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Best Practices for Building a Security Operations Center

Average annual cost of security incidents

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

The Value of Automated Penetration Testing White Paper

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Integrating MSS, SEP and NGFW to catch targeted APTs

Securing and protecting the organization s most sensitive data

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

How To Test For Security On A Network Without Being Hacked

Unified Security, ATP and more

Cyber Risk Reduction: Why Automated Threat Verification is key

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Continuous Network Monitoring

The Symantec Approach to Defeating Advanced Threats

Combating a new generation of cybercriminal with in-depth security monitoring

I D C A N A L Y S T C O N N E C T I O N

Carbon Black and Palo Alto Networks

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Stop advanced targeted attacks, identify high risk users and control Insider Threats

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

APPLICATION PROGRAMMING INTERFACE

IBM Security QRadar Risk Manager

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Cisco Advanced Malware Protection

Bringing your Security Eco-System closer to Purity utilizing a Vulnerability Data Refinery

IBM Security QRadar Vulnerability Manager

RSA ARCHER OPERATIONAL RISK MANAGEMENT

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

The Sophos Security Heartbeat:

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Boosting enterprise security with integrated log management

Endpoint Threat Detection without the Pain

BeyondInsight Version 5.6 New and Updated Features

Report. Bromium: Endpoint Protection Attitudes & Trends Increasing Concerns Around Securing End Users

Navigating the NIST Cybersecurity Framework

2012 Endpoint Security Best Practices Survey

Proactive Performance Management for Enterprise Databases

WHITE PAPER: THREAT INTELLIGENCE RANKING

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

A Case for Managed Security

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

eguide: Designing a Continuous Response Architecture Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds

IBM SECURITY QRADAR INCIDENT FORENSICS

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

TIBCO Cyber Security Platform. Atif Chaughtai

IBM Security re-defines enterprise endpoint protection against advanced malware

Protect Your Connected Business Systems by Identifying and Analyzing Threats

Breaking down silos of protection: An integrated approach to managing application security

Overcoming Obstacles to Retail Supply Chain Efficiency and Vendor Compliance

The Path Ahead for Security Leaders

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Transcription:

Redefining Incident Response How to Close the Gap Between Cyber-Attack Identification and Remediation WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 1

Table of Contents Time is of the Essence when Mitigating Cyber-Attacks 3 The Pivotal Role Incident Response is Supposed to Play 3 Incident Response is Different from Detection and Forensics 4 Why Traditional Incident Response is Broken 4 Limited Resources 5 Manual Tools 5 Silo d Information and Broken Processes 6 Requirements for Effective Incident Response 6 The Hexadite Approach Redefining Incident Response 7 Hexadite s Benefits 7 Hexadite SWAT TM Technology Automatically Serving Your Incident Response Needs 8 About Hexadite 9 Disclaimer: The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice. Contact Hexadite for current information regarding its products or services. Hexadite s products and services are subject to Hexadite s standard terms and conditions. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 2

Time is of the Essence when Mitigating Cyber-Attacks Cyber-Attacks may be inevitable, but their impact doesn t have to be. Recent high profile breaches, such as those experienced by Target Corp., Evernote, and ebay, remind us of the potentially devastating effects a breach can have on the bottom line and brand s reputation. A closer look at these breaches, however, reveals failings not in the organization s ability to detect the attack, but in their ability to quickly respond and efficiently shut it down. Target s security team received alerts on the attack to their payment systems days before the attackers were able to transmit the stolen credit card data, but those alerts went by unheeded. The attackers were able to collect information for 19 days before they were stopped days that impacted more than 40 million customers and cost the company approximately $148 million. i And Target is by no means an isolated incident. The Ponemon Institute reported, on average, it takes organizations 32 days to resolve a Cyber- Attack; for insider attacks, the average time for containment goes up to 65 days. ii Not surprising, Ponemon found a direct correlation between the time it takes to contain an attack and the cost to the organization. So, why is there such a lag? A large portion of the blame is due to broken incident response capabilities. The Pivotal Role Incident Response is Supposed to Play Organizations know they are going to be attacked; they also know a month is an unacceptable length of time for an attack to go unresolved. So what is being done to close the gap? For starters, organizations are spending more on cyber security to bolster their protection capabilities. iii A survey in the beginning of 2014 found that 60% of U.S. businesses planned to increase their cyber security budget over the next 12 months. iv This explains the proliferation of security solutions being deployed throughout an organization s environment to strengthen their security stance. These solutions, including firewalls, intrusion prevention systems, anti-virus, dynamic honeypots, data loss prevention solutions, sandboxes, as well as security information and event management (SIEM) systems, and other next-generation security tools, are looking at the network traffic and end-point devices for attack patterns and anomalous activity that indicates a threat. They then send an alarm and work to contain the attack until it can be removed. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 3

This is where cyber incident response is supposed to come in the role of incident response and the cyber incident response team (CIRT) is to investigate all these alarms and initiate an appropriate response that contains and remediates the full extent of a breach. The problem is current teams and tools are overwhelmed by all these alarms from all these different detection systems and hampered by fragmented information and broken, manual processes that force a lag in resolution. This paper, examines how incident response is broken, the requirements to fix it and a glimpse at the Hexadite approach that re-imagines how incident response can be done to protect an organization s assets and image. Why Traditional Incident Response is Broken The promise of incident response is that it will enable organizations to quickly close out incidents to effectively protect their resources. Unfortunately, the incident response capabilities organizations need and the incident response capabilities that have traditionally been available fall short of that promise resulting in the headlines we have all come to expect. KPMG blames the breakdown in incident response on a combination of politics, data, tools, processes, and team; v a study by the Government Accountability Office (GAO) points to a lack of a consistent, documented approach (or response plan). vi All of which are right, but when they are boiled down, the crux of the problem is that incident response today relies heavily on expertise and manual intervention. Incident Response is Different from Detection and Forensics Incident Response picks up where detection systems leave off and supports the forensic activities post-attack remediation. What Incident Response Isn t: Incident response isn t sounding alarms incident response leaves that to the hundreds of different detection systems enterprises deploy to identify different types of attack patterns and anomalous behaviors in the network or on endpoint devices. Incident response isn t looking at damage that is for the forensics team and tools to do, as they investigate past events to understand the extent of an attack s damage. What Incident Response Is: Incident response investigates the alerts raised by detection systems to understand the extent of an attack, address and remediate it. Incident response is focused on preventing attack damage. It manages security events in realtime, making quick decisions and taking immediate actions to stop an attack from propagating and doing any (further) damage. This is because today s incident response consists of manual tools, limited resources and silo d information and broken processes that consume precious time and force organizations to make compromises that lead to elevated risk levels. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 4

Limited Resources An organization s incident response is only as capable as the people involved and responsible for it. In the face of finite resources, with limited advanced security expertise, an organization s ability to effectively respond to a breach can be significantly hampered. Consider that one alert can take days to investigate and resolve; a team looking at 10-50 alerts a day simply cannot scale to address everything they see. It is not uncommon for larger organizations to be facing thousands, even tens of thousands, of alarms a day from all the different detection systems deployed throughout their environment. The alert volume means the team must decide which to investigate. Any time spent on low level threats or worse, false alarms, is time taken away from other, more impactful events. Yet, low level threats, such as failed user logins or a high rate of firewall blocks, may be early indicators to larger, more devastating attacks. The limited resources that organizations can dedicate to incident response force them to make tough choices around the prioritization of their investigations and ultimate attack remediation efforts choices that may end up costing them dearly. Manual Tools For incident response to work, someone (preferably someone that has experience dealing with breaches), somewhere needs to take action at some point in the remediation process to ensure the attack is resolved. They may need to initiate an investigation, hunt down a piece of information or approve a course of action all of which takes precious time that most organizations don t have. Analyzing log files and databases, which form the basis for the information involved in most investigations is often incomplete and hard to understand, forcing someone to track down other pieces of the puzzle to try to get a clearer picture. Once an attack is identified and understood, the next steps are often manual even solutions that claim to automate incident response still require someone to intervene and approve remediation steps. Incident response also relies on someone to manually document the entire process. As we all know, paperwork is often the last thing that is done, if at all, in the face of one threat after another. This means organizations tend to have to duplicate work as they try to piece together what was done in an effort to support forensic investigations and codify best practices for a response plan. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 5

Silo d Information and Broken Processes Information critical to an attack investigation is often silo d, based on which system it originated from in the organization. The personnel who have access to this information and the expertise to understand what it may mean are often spread across departments. Who is authorized to make any necessary changes (e.g. to the firewall rule set or network access control lists (ACLs) to support remediation can also be unclear and fragmented. It is not uncommon for incidents to be forwarded to the Forensics team to investigate. They have the expertise needed to identify the source and activity of an attack, however, their goals are different from incident response team they are focused on assessing the extent of the damage of a breach, not stopping it in real time. If the investigation is done during the forensics process, it is too late to effectively remediate the attack and prevent damage. It can be extremely difficult to ensure everyone that needs to be a part of the process is appropriately involved. Plus, because very few organizations have codified best practices, each incident is researched and a course of action decided as a one-off event, which results in duplicative activities and an inability to benefit from ongoing efficiencies. Requirements for Effective Incident Response To ensure attacks don t go by unhandled, until it s too late, organizations need automated incident response capabilities to replace manual processes and the need for human intervention. To close the gap between detection and remediation, organizations need intelligent incident response automation that can: Improve Decision Making enabling decisions to be made in advance for the best possible outcome. Without needing specific security or incident response expertise on hand, the solution should be able to leverage documentation of the best, most efficient way to appropriately respond and then remediate the breach. Coordinate Response ensuring each and every alarm is investigated. The organization should be able to rule out false alarms and eliminate large scale events that combine multiple incidents or that target multiple infected hosts, so activity can return to its normal state. Limit Attack Impacts - accelerating the close out of a breach. Solutions should be able to quickly validate, isolate and remediate an attack before it can do any damage. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 6

The Hexadite Approach Redefining Incident Response The Hexadite Automated Incident Response Solution automatically investigates each and every alarm to quickly identify and remediate any breaches. With the ability to pull in intelligence gathered throughout the organization, Hexadite is able to quickly identify affected devices and systems and close out breaches to protect an organization s resources. The Hexadite Automated Incident Response Solution is like having the power and intelligence of thousands of incident response specialists available to automatically neutralize any threat that comes up. The solution: Leverages Compute Power and Best Practices to Accelerate and Improve Decision Making The ability to quickly collect and analyze information that would otherwise be too time consuming or resource intensive to consider, such as data across 200 hosts, and incorporate it into intelligent decision-making algorithms to ensure the best possible outcome. Incident response best practices are codified in the logic of the system and automatically applied to help organizations optimize the effectiveness of their incident response efforts and reduce the need to invest in specialized incident response training. The easy to use solution integrates with an organization s infrastructure to ensure breaches can be handled with existing resources. On-demand reports allow an organization s team to simply demonstrate the effectiveness of their incident response activities. Hexadite s Benefits Strengthens Your Security quickly shutting down attacks and ensuring each and every alert is investigated to uncover hidden threats and protect against breaches that may otherwise go unhandled. Increases Your Productivity maximizing the effectiveness of your team with automated incident response processes and best practices - never again will you waste time investigating false alarms or spend hours trying to understand and mitigate the extent of a breach. Reduces Your Costs simplifying operations and minimizing damages and recovery times from attacks through rapid incident resolution. Maximizes Investigations to Ensure an Effective Coordinate Response The ability to investigate hundreds, even thousands, of alerts at once ensures nothing gets by and each and every alert is handled. Everything is checked, from low level threats to large scale events to enable the rapid identification and mitigation of threats facing the organization. Reduce the Time to Close Incidents by Up to 95% to Mitigate Attack Impacts The ability to close the window of opportunity for attackers with dynamic mitigation of all types of attacks, including advanced persistent threats (APTs) saves organizations the time and resources associated with recovering from a successful breach. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 7

Hexadite SWAT TM Technology Automatically Serving Your Incident Response Needs The foundation of the Hexadite Automated Incident Response Solution is Hexadite s SWAT TM Technology, which is a powerful combination of proprietary intelligent algorithms and tools designed to quickly and effectively uncover and remediate hidden threats. SWAT TM Technology From Alarm to Mitigation Alerts Generated Parallel Investigations of All Alerts Threat Containment and Remediation The SWAT TM Technology receives alerts from all the different detection and security management systems throughout an organization s environment and begins to analyze them to determine whether they are threats or false alarms. SWAT TM s unique ability to conduct parallel incident investigations, ensures that nothing goes unhandled. To understand exactly what is going on, the SWAT TM Technology actively gathers and analyzes additional information from other endpoints and network devices, as well as Hexadite's threat intelligence cloud, which includes a repository of threat feeds, analysis logic and partner APIs, to develop a holistic, contextual view of the threats facing the organization. SWAT TM can then determine what targeted mitigation action to take, such as close a connection, kill a process, quarantine a file, change a firewall rule, and more, based on incident response best practices to stop the full extent of the breach. Depending on the level of control an organization requires over the remediation actions, the Hexadite solution can be deployed in a fully automatic or semiautomatic mode. There are default best practices that come with the solution, as well as options for the organization to apply custom logic. Once remediated, SWAT TM will validate the effectiveness of the actions taken and ensure the window of opportunity for attackers has been closed. SWAT TM can confirm remediation activity was fully performed and successful. For example, it can determine whether a user negated the action on their device or associate a new alarm on the same threat from a detection system. As a result, organizations can confidently close out incidents and reduce the damage and disruptions from successful breaches. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 8

About Hexadite Hexadite is changing the way cyber incident response is done, with the first fully automated incident response solution that enables customers to rapidly investigate and close out all cyberalerts, in minutes, instead of weeks or months. The Hexadite Automated Incident Response Solution maximizes a customer s ability to investigate alarms to understand and remediate the full extent of a breach. Through proprietary, intelligent automation organizations can increases their team s productivity, reduce ongoing costs associated with investigating and recovering from attacks, and strengthen their overall security. For more information, please visit www.hexadite.com. i Target Puts Data Breach Costs at $148 Million, Forecasts Profit Drop, New York Times, by Rachel Abrams, Aug. 5, 2014 ii Ponemon Institute Research Report, 2013 Cost of Cyber Crime Study: United States), Oct. 2013 iii Cybersecurity Spending Reflects Limited Shift in Priority, by Steven Norton, Wall Street Journal, July 1, 2014, iv 60% of US businesses have increased cyber security spend following recent wave of Cyber-Attacks, B BAE Systems, Feb. 25, 2014 v Top 5 Reasons Incident Response is Failing, 2012, KPMG. vi Information Week 2014 Hexadite Ltd. All rights reserved. Hexadite, the Hexadite logo, Hexadite Automated Incident Response Solution, AIRS, SWAT are trademarks or registered trademarks of Hexadite, Ltd. in the United States and in other countries. All other trademarks are property of their respective owners. Hexadite assumes no responsibility for any inaccuracies in this document. Hexadite reserves the right to change, modify, transfer, or otherwise revise this publication without notice. WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information