Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
3/25/2015
12:10 PM
Ryan Allphin
Ryan Allphin
Partner Perspectives
50%
50%

Preparing for a Breach: The Charge of the Security Brigade

Automation is key to shorter response times and better containment.

Breaches to the right of you,
Breaches to the left of you,
Breaches in front of you,
Broken and plunder’d.
(With apologies to Alfred, Lord Tennyson)

Hopefully your security outlook is not as bleak as the ill-fated “Charge of the Light Brigade.” Sometimes it may seem that it is only a matter of time before there is a security breach where you work. All around you, organizations are being attacked and compromised, billions of pieces of personal or confidential data have been stolen, and it appears that no one is immune from attack. Security resources are under pressure, being asked to do more with less, while the rate of attacks increases and the amount of security data to sift through is mind-numbing.

Policy-based automation is a key security resource at hand that was not available to the Light Brigade.

“Automation Is The Answer. Given the consequences of data breaches, businesses can no longer rely on passive, manual procedures to defend against them. The only way to protect the exfiltration of our data by hackers and cybercriminals is to provide our security teams with a set of rules that will incentivize automated response.” —John Kindervag and Stephanie Balaouras, Forrester, “Rules Of Engagement: A Call to Action to Automate Breach Response.”

Normalization of security data, correlation of events, and automated remediation using security analytics can reduce the transactional workload of your security staff, freeing them to focus on the most credible and most important issues. It’s part of clearing away the clutter and noise so your experts can see the relevant signals.

Before you can automate your incident response, you need to establish a baseline of what is normal. For this, you must know your day-to-day infrastructure patterns and facts:

  • what devices should be present on which network segments
  • what software applications are approved
  • what are the valid configurations
  • what network protocols are permitted
  • where are the authorized wireless access points
  • a list of valid user accounts by segment

Armed with this baseline and corporate policies, security analytics can detect unapproved or undesired activities and tell the endpoints to automatically stop a malicious process, delete unwanted files, and create a forensic image for further investigation. If the host is too infected, it can be reimaged from a known good state. When a malicious file is confirmed, the analytics engine can mine historical data to locate any past events or related artifacts (indicators of attack or compromise), or add it to a watch list for future appearances. Humans can do all of these things, but it takes them longer to assess and take action, giving the attack more time to spread in an endless game of catch up.

At the network layer, security management-driven policies can drive automation to block unwanted traffic based on various parameters you define -- such as IP address, system name, port, protocol, or physical switch port -- and add the relevant information to a watch list. Suspicious traffic can be redirected for packet capture and later forensic analysis.

Aggregating and correlating security incidents into a centralized defensive system lessens the amount of noise in your security alerts. Automating responses to known threats, whitelist violations, unauthorized user accounts, and other clear indicators of attack or compromise reduces response time, containing the threat before it can achieve its objective. Visibility into these events and counteractions will inform the security team as potential evidence of an attack underway.

The Next Frontier: Incident Response

These host and network-based responses are all possible today, and they free up resources to tackle the next frontier: enriching and guiding incident response based on the event sequence and contents of a suspicious file. Within a malicious file, data such as related files and IP addresses contacted can drive targeted reactions. The file and its history also reveal a meaningful story for investigative tools and processes that can hunt throughout your infrastructure. Tools are becoming available that automate searches for file name, hash (MD5 or SHA-1), severity of the convicted file, the gateway or device that first detected it, the message that carried it, the source and destination systems, and the source URL. Leveraging a centralized platform, systems and traffic that share these attributes can be assessed for compromise while these things are monitored via a watch list for future events.

When events surface from historic or dynamic watch lists, the host and network-based automation options can be used again, with surgical precision.

These are some ways that automated cyberthreat response reduces the workload of your security team, freeing them to focus on improving defenses and responding to unknown incidents. These are all options today for active incident response. As we shift to adaptive security management, look to machine learning to automatically add newly identified threats to the watch list, training the system to respond to threats as they become known. The increased sharing of threat intelligence and indicators of compromise and the ability of security analytics and management systems to consume and respond to these via standardized interfaces build an additional layer of validation, credibility, and confidence. These advances will help analysts continue to focus on the unknown and suspicious -- the place where the people factor remains critical.

Things may not be as bleak as the “Charge of the Light Brigade,” but you do need to be prepared for a security incident. Challenge your security analytics and management infrastructure to be your ally in the battle by understanding your business baseline and helping you detect, deflect, and facilitate correction. Otherwise, you are just charging off:

Yours not to reason why,
Yours but to do and die.  

Ryan Allphin is responsible for defining and executing the strategic direction for the McAfee Security Management business, which includes McAfee's flagship product ePolicy Orchestrator (ePO), Enterprise Security Manager (SIEM), Data & Threat Intelligence Exchange, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20733
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
CVE-2021-20734
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
CVE-2021-20735
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
CVE-2021-20736
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
CVE-2021-20737
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.