Here we go, again. The recent Petya ransomware attack caught the EU off guard and created chaos that rippled through organizations wide and far. Luckily, it was not as severe as Wannacry, but it reinforces the fact that companies are still not prepared with the right incident response processes or tools to quickly identify and take the necessary steps to get a suspected cyber-attack under control.
Why is that? Well, there are many factors, but one of the big ones comes down to the fact that there are just too many intrusion alerts being received from next-generation firewalls, IDS/IPS solutions, modern SIEMs, and other security technologies – up to 5,000 a day! Even organizations with large, highly trained security teams are struggling to keep up with the volume. Manually combing through the alerts to determine which incidents are worth further investigation is not a viable solution in the face of broad wide-scale attacks.
Petya impacted many organizations across many industries, but some of the most disturbing examples were the financial institutions in Russia and the Ukraine. Given the nature of critical financial and client data held by these such organizations, it would make sense that any breach will necessitate the execution of an incident response process, beginning with breach identification and progressing to breach investigation to containment and remediation.
All of this must occur very quickly to meet compliance requirements with any data privacy regulations. If GDPR was in effect (coming in May 2018), organizations with impacted databases that include EU citizen data would be required, within 72 hours, to report not only the breach to authorities, but exactly what records were exposed, and why current processes in place did not protect these records. More, all of this would have to be followed up by a go-forward plan to show how the organization would mitigate such exposure in the future. That's a pretty tall order given the current state of incident response processes and tools as well as the manual effort involved (remember 5,000 alerts a day.)
Given that data breaches aren't slowing down, and that network-borne breaches are getting harder to catch, a new approach is needed to give SoC teams and other security resources an edge. Clearly, there needs to be a better way to perform more effective breach identification and a timely conclusion of any forensic investigation.
What steps can an organization take to accelerate incident response?
Imagine if the security teams had a way to cut through the alert noise by making their existing tools perform better, get real-time notification of a potential intrusion, and access the evidence needed to prove compliance. After all, wouldn’t that be the perfect way to accelerate incident response?
ARIA Cybersecurity Solutions' were designed for exactly this purpose.
Our ARIA SDS Packet Intelligence application monitors traffic paths across your entire enterprise – public cloud, on-premises, and data centers. It then feed your existing security tools, such as a SIEM, with NetFlow data, enabling better performance in regards to threat detection, identification, and containment. Another benefit is that the amount of data needed for ingest decreases, therefore saving money and resources.
In addition, our nVoy 10Gbit Packet Recorder (in conjunction with ARIA SDS) will ingest network traffic directed to it and in real-time capture, filter, record, and index all the data for quick retrieval into extract files. The recording process is continuous, 365×7, thus providing the detailed data needed to perform forensic analysis.
Having these recordings available for on-demand access allows companies to create extract files around particular data conversations that "go back in time." This helps them truly understand the full scope of the incident in order to determine what data was accessed, when the breach began, when it ended, and what other assets may have been impacted. This alone provides security teams with a powerful solution to make their incident investigation and response much more focused, and thus, much more effective.
Our ARIA Automated Investigative Response (AIR) application has taken it one step further by automating two critical elements of the incident investigation process:
- Match an intrusion alert to an actual data breach and
- extract the conversations related with that breach.
It assesses all alerts issued by a firewall or IDS/IPS to determine if any are against a user-specified list of critical assets (devices, applications, or combination of the two). If so, then the application triggers the nVoy Packet Recorder to automatically generate an extract file of all the data associated with that alert.
By automating these two pieces – the alert identification and extraction of conversations – it eliminates manual intervention and thus drastically reduces the risk of missing an alert, puts resources to better use, and most importantly, saves crucial time during the incident investigation.
About ARIA Cybersecurity Solutions
ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.