Not All Security Incidents Are Created Equal
With all the intrusion alerts received in a day in some cases up to 5,000 a day–it is important for companies to quickly determine the answer to one important question: what exactly is an intrusion that should be investigated? And more important, what can organizations do to improve their incident response processes? This article takes a closer look at these issues and offers a framework to help define, streamline, and accelerate cyber-attack incident response processes.
Not All Incidents Are Created Equal
We recently participated in a valuable panel session at the SecureWorld Boston event. The participants represented a wide range of backgrounds and roles and contributed to a lively conversation about the current and future trends in cyber-security.
One of the most interesting topics was initially posed as a question: "What exactly is an information security incident?"
Broadly speaking, a security incident is something that could be thought of as something unknown running inside your environment (whether cloud, on-premise or data center). It can also be the presence of something unexpected in your environment, or conversely, something missing from it. In most cases, an incident will result in an intrusion alert that comes from one or more of your existing installed security tools, like a next-generation firewall or modern SIEM, which the InfoSec or SoC teams must then investigate.
Initially, people tend to think of an IT incident in the context of a cyber-attack. Again, this may be true, but at an even higher level, you can break incidents down into two different types of incidents: operational and security. An operational incident, such as a server going down, is often assigned to an IT help desk and is generally not considered a malicious event.
Should you react to all intrusion alerts or potential security incidents in the same way? The short answer is no, in part because of the sheer volume of alerts InfoSec teams would have to investigate. As stated above, research shows that organizations can receive an average of 5,000 intrusion alerts per day, generated from existing security tools such as firewalls, IDS and IPS systems, SIEMs, and more. There just aren't enough resources – or hours in the day – to follow up on them all. But, the question remains: How do you quickly identify the real intrusions that may turn into breaches?
Considerations when forming an incident response process
So, what's an organization to do? The following are just a few items any organization should think about as they look to improve their cyber-attack incident response processes:
- Define what a malicious security incident looks like to your organization. Perhaps you're willing to accept the loss of an individual PC to a malware attack, especially if you're able to quickly contain and isolate that PC from the network. However, having a server go offline or an application disappear, especially one that uses or stores sensitive data, is much more serious – and warrants a higher level of scrutiny.
- Decide how and when to involve the end user. If the organization decides that user logins at odd times of the day or a series of failed logins are worth investigating, one of the fastest ways to check in with the user directly – "trust but verify" the unusual behavior.
- Establish an infrastructure that makes it as difficult as possible to penetrate. For example, an infrastructure that remains stagnant is easier than one that mandates password updates and/or dual authentication. This increases the chances that a security event can be caught earlier in the process.
- Determine who from the organization should be involved during all stages of the investigation process. Perhaps the effort starts with a small team of internal staff, and then expands to include more resources from management or the larger IT team. Preplanning is critical, and with the plan published ahead of time, an organization can pull together a well-coordinated, timely response to the attack.
ARIA Cybersecurity offers a two-pronged approach: Accelerate Your Incident Response Processes and Protect Your Most Critical Assets
Having an agreement on what an intrusion incident looks like for your organization is critical and an important part of your incident response process. However, having the right security infrastructure and tools and improving their performance to help you identify and isolate threats is equally, if not more important. Given all the moving parts, during the assessment and investigation of potential security incidents, your tools must work better for you.
Our ARIA Software-Defined Security (SDS) solution is designed to make commonly used threat detection and prevention tools, like the commonly used Splunk SIEM, work better. They will:
- Detect more threats, especially network-borne ones that often go undetected,
- make them more cost-effective to operate, and
- enable accelerated incident response and threat containment.
Going one step further, organizations should also protect their critical assets not matter whether they are in use, at rest or in motion. The ARIA KMS or microHSM applications enable thousands of encryption keys per minute, as well as the offloading of those keys into a TrustZone. When pairing ARIA SDS with the nVoy Packet Recorder to record all traffic between your critical devices, go back and pull packet-level details, and complete breach investigation faster, you’ll benefit from accelerated incident response and stay compliant with data privacy regulations.
Interested in learning more? Watch our short video on how integrating a SIEM with ARIA SDS will accelerate your incident response processes
About ARIA Cybersecurity Solutions
ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our cybersecurity solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.