Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
11/12/2015
10:44 AM
Torry Campbell
Torry Campbell
Partner Perspectives
50%
50%

Incidence-Response Imperative: Take Immediate Action

Something malicious this way comes. A fast reaction can reduce your risk.

You have just detected an attack and alerted the incident-response team, one of 38 investigations you will likely conduct this year. Half of these are probably generic malware attacks, but the rest are higher-risk targeted attacks or data breaches. Now you are working against the clock and against the potentially exponential rate of further infections, trying to get your systems back to a known state.

What happens if you cannot stop the attack soon enough? We have all seen the immediate and public effects of a security breach, but what happens afterwards? You have isolated the machines that you think are infected and begun the laborious process of cleaning them. Or you buy new machines and operate completely separate networks while you carefully scrub and transfer data from the old to the new. Or maybe you find yourself so deep in a hole so quickly that you cannot dig your way out, so you just work around the infected machines.

These and other security scenarios are playing out at organizations around the world. Attackers are shifting to focused, designer attacks targeting specific companies and individuals. They have been testing the behaviors of preventative technologies and are learning how to get through security defenses and minimize detection. A fast and active incidence-response capability is now an important part of your overall security plan.

Our research underlines the importance of responding effectively within the first hour. You are probably already struggling with the volume of security data. There is so much data flowing in from your existing tools that it takes a long time to analyze it, delaying your response. Or you have made compromises on the data being collected, and you are missing important indicators of attack.

Risk Reduction

Speeding up incident detection and gaining an understanding of the potential impact and scope are the most important tasks in reducing risk. What you need is the ability to perform live investigations. Using historical data as the foundation, automated endpoint collectors can learn the system’s state and context, watching for any changes to network flow, registries, or processes that may indicate an attack. This also includes deleted files or dormant components, tricks that are commonly used to evade detection.

Quickly alerted to an attack and its potential scope, the next important tasks are taking action to minimize the impact, identifying which assets remain vulnerable, and updating security controls. When the endpoint collectors detect an attack event, they send alerts to security central. But you can also configure them to trigger other actions, depending on the nature of the alert. Do you want additional data collection, temporary changes to user privileges, or some other custom action that will assist the response team?

You can also trigger an investigation across all systems in the organization, greatly expanding the scale of your response. You no longer need to make assumptions about the attack’s progress, which can result in an artificially limited view of the affected systems. If you cannot scale the response fast and far enough, you could allow the criminals to work freely in one area while you try to contain just a portion of the infection.

Time and scale are the prime limiters of incidence response. Greater automation of data collectors, security triggers, and predefined reactions helps you detect sooner, respond faster, and hunt farther than you could before.

Torry Campbell is the Chief Technology Officer for Endpoint and Management technologies for Intel Security, formerly McAfee. From a decade at McAfee, he couples his security operations background with product management, development, and customer implementation experience to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...