Incident response is a critical business process that involves many moving parts beyond IT. Yet new technologies in the areas of threat detection and response claim to remediate security incidents and monitor alerts, so overworked staff doesn't have to spend hours on manual data collection and threat analysis before reimaging a system.
Security analysts could use the help. The Verizon 2015 Data Breach Investigations Report compiled 79,790 security incidents (small, large and unknown) and 2,122 confirmed data breaches across organizations in 61 countries. The "defender-detection deficit" in the incident response process between the time of compromise and discovery is one of the primary challenges facing the industry, according to the authors. In 60% of the reported cases, the compromise by attackers occurred within minutes, while defenders failed to detect compromises within the same time frame. However, 2014 showed the smallest deficit (See: The Defender-Detection Deficit). The total number of malware events across organizations for the reported period was 170 million, or five malware events per second. And that's only malware.
Multiple security technologies aim to shorten the time between threat detection and response but can vary widely in terms of scope, data analysis and threat intelligence capabilities. Like security information and event management (SIEM), implementing and operating endpoint detection and response (EDR) systems correctly is challenging and may require dedicated staff to reap the benefits. Security intelligence platforms that rely on machine learning and data analytics for threat detection, incident response and "recovery" raise similar concerns.
What are best practices for the security community as these "SOC analyst in a box" technologies flood the market?
Mind the gaps
"Focus tools and process efforts on three incident response gaps: time to detect, time to confirm and time to respond or fix," says Anton Chuvakin, research vice president in Gartner's GTP security and risk management group. Many companies become aware of a security event but take hours or days to perform triage and finally remediate it. The incident response process can vary based on the security incident, which may involve malware breach and containment, DDoS attacks, or information disclosure.
Three years ago, Chuvakin coined the term endpoint threat detection and response (ETDR), when he used it in his blog, to describe a new category of endpoint visibility tools that enabled security analysts to perform suspicious data investigation, historical search and system data exploration on endpoints and servers from a centralized management console. CrowdStrike, Carbon Black (which has since merged with advanced threat prevention vendor Bit9), Guidance Software and computer forensics specialist Mandiant (acquired by FireEye in 2014) were among the early vendors offering these types of capabilities. Since then, the category has ballooned to upwards of 30 products.
"Many, many security tools are useful for incident response," says Chuvakin. "But certainly SIEM, EDR/ETDR, network forensics and traffic analysis as well as threat intelligence often feature as most useful."
Together, these technologies are designed to automate portions of the incident response process by gathering a series of suspicious activities or events from a centralized data repository, such as log management systems or SIEM, and performing data analysis of threats. Once an anomaly or IOC is detected, these tools often integrate with sandboxing technologies to quickly "investigate" potential malware, for example, and help companies document and report security incidents in accordance with compliance guidelines. Endpoint threat detection tools like Mandiant are affiliated with professional IR services.
Still no incident response process
As recent breaches have shown, centralized security management and basic controls are still lacking at many organizations. Medium to enterprise-scale organizations that follow a security framework should have incident response teams as recommended by NIST-SP-800 61 rev.1. Despite a flurry of activity to shore up incident response capabilities after high profile breaches in 2014; many companies get a failing grade here, too.
While no industry standards "actively include EDR capabilities," according to Lawrence Pingree, Gartner research director and author of the 2014 study Competitive Landscape: Endpoint Detection and Response Tools, they could eventually be adopted into PCI and other regulatory mandates.
Having a CISO on board may benefit security analysts, however. A December survey of 200 U.S. security professionals, sponsored by ThreatTrack Security, found that 94% of enterprises with CISOs had dedicated incident response teams or security operations centers (SOCs), compared to 48% of organizations without a chief of security.
With or without internal resources, every incident response process should have a trigger point to call in an IR or forensics firm, managed security services provider (MSSP) or system integrator's IR team, according to Gartner. "Some incidents will exceed your capabilities and you should plan for external help," says Chuvakin.
"It's better to know some of the questions than all of the answers," agrees Lenny Zeltser, product management director at NCR Corp. A cyberforensics expert who teaches courses on digital forensics and antimalware for the SANS Technology Institute, Zeltser's approach to taking control of an incident is to be prepared and know what to ask after the initial survey:
- How was the incident qualified?
- What tools or commands were launched?
- Any containment steps taken?
- Any suspicious activity in the logs?
- What security alerts were generated?
"Even experts need checklists and references when handling a stressful situation, and most incident response scenarios can be classified as stressful," says Zeltser, who offers a series of free "cheat sheets" on his blog for qualified incident response in areas such as Windows and Linux intrusions, DDoS and initial security incident response handling.
Many companies have moved away from "formal" forensics that requires extensive documentation, training and specialized tools, according to Zeltser, in favor of live analysis in order to return to normal business operations as soon as possible.
Recommendations for better response
The incident response process requires the human touch and cannot be fully automated, says Gartner's Anton Chuvakin. A mix of tools and process can help if you follow a few guidelines:
- Remember that prevention will fail, so don't blow your entire budget on preventative tools and practices.
- Deploy tools focused on rapidly getting answers about what is going on in your network, systems and cloud. You need to know the environment better than the attacker.
- Focus tools and process efforts on the three IR gaps: time to detect, time to confirm (triage) and time to remediate.
- Be ready for something unthinkable in the recent past: Your incident response process will fail to get the attacker off your network. If you engage in combat, the attacker will win.
Unlike preventative technology, these tools need humans to interpret vague signals and make sense of historical data such as days-old malware. The challenge for vendors is not to make these platforms fully automated, which is impossible, says Chuvakin. It's to enable a regular security analyst to "be an IR ninja." Threat detection and response tools should be a "force-multiplier" for staff with basic IR and security skills, not a replacement. "Sure, an elite analyst can hunt for threats given a Hadoop-full of security data, but this requires so many esoteric skills it is not even funny. So tools should seek to enable similar processes and -- hopefully -- similar results for regular security personnel," he says. "They can help as long as you actually have people using them."
Mobile threat detection and response was not an early strength in many of these tools but that may be changing. Resolution1 Security, which offers detection and response capabilities for iOS and Android, was acquired by Fidelis Cybersecurity in May 2015. For companies that want to explore open source, Netflix has released its Fully Integrated Defense Operation technology on GitHub.
Organizations also need to be ready for a reality that was once unthinkable: "Your IR effort will fail to get the attacker off your network," asserts Chuvakin. "You can get into a ‘hand-to-hand combat' with the attacker and they will win. In the past, we always assumed 'we detect, we clean and we win.' Now, [that's] not always the case."
Why security automation is the lifeblood of an SOC
Four steps to the NIST incident response plan
Incident response when you are short on staff