You have just detected an attack and alerted the incident-response team, one of 38 investigations you will likely conduct this year. Half of these are probably generic malware attacks, but the rest are higher-risk targeted attacks or data breaches. Now you are working against the clock and against the potentially exponential rate of further infections, trying to get your systems back to a known state.
What happens if you cannot stop the attack soon enough? We have all seen the immediate and public effects of a security breach, but what happens afterwards? You have isolated the machines that you think are infected and begun the laborious process of cleaning them. Or you buy new machines and operate completely separate networks while you carefully scrub and transfer data from the old to the new. Or maybe you find yourself so deep in a hole so quickly that you cannot dig your way out, so you just work around the infected machines.
These and other security scenarios are playing out at organizations around the world. Attackers are shifting to focused, designer attacks targeting specific companies and individuals. They have been testing the behaviors of preventative technologies and are learning how to get through security defenses and minimize detection. A fast and active incidence-response capability is now an important part of your overall security plan.
Our research underlines the importance of responding effectively within the first hour. You are probably already struggling with the volume of security data. There is so much data flowing in from your existing tools that it takes a long time to analyze it, delaying your response. Or you have made compromises on the data being collected, and you are missing important indicators of attack.
Speeding up incident detection and gaining an understanding of the potential impact and scope are the most important tasks in reducing risk. What you need is the ability to perform live investigations. Using historical data as the foundation, automated endpoint collectors can learn the system’s state and context, watching for any changes to network flow, registries, or processes that may indicate an attack. This also includes deleted files or dormant components, tricks that are commonly used to evade detection.
Quickly alerted to an attack and its potential scope, the next important tasks are taking action to minimize the impact, identifying which assets remain vulnerable, and updating security controls. When the endpoint collectors detect an attack event, they send alerts to security central. But you can also configure them to trigger other actions, depending on the nature of the alert. Do you want additional data collection, temporary changes to user privileges, or some other custom action that will assist the response team?
You can also trigger an investigation across all systems in the organization, greatly expanding the scale of your response. You no longer need to make assumptions about the attack’s progress, which can result in an artificially limited view of the affected systems. If you cannot scale the response fast and far enough, you could allow the criminals to work freely in one area while you try to contain just a portion of the infection.
Time and scale are the prime limiters of incidence response. Greater automation of data collectors, security triggers, and predefined reactions helps you detect sooner, respond faster, and hunt farther than you could before.