November 18, 2019

A New Approach to Cyber Security Incident Response

How to better leverage the security tools you have to achieve faster incident response and surgical threat containment

Companies of all sizes are under intense pressure to do all they can to secure their networks – spanning from on-premise, to cloud, to data center. Yet, given the rapid pace and severity of breaches, the approach to network threat detection, prevention, and containment has been faulty.

This is not necessarily the company’s fault – the industry has been lacking proper security solutions, which leads to inadequate practices. Additionally, the situation has been made worse by the availability of so many point solutions, adding complexity, confusion, and cost to a company’s security stack as they attempt to achieve full network security.

Why is this? Until now, the standard approach has been to install a best-of-breed security infrastructure including next-generation firewalls, SIEMs, IDS/IPS tools, UEBAs, SOARs, and other solutions—all with the goal of complete cyber threat detection and prevention. However, companies quickly discovered that this approach caused problems that they weren’t prepared for:

  1. They can’t give a full view of the internal network traffic—most solutions monitor north-south traffic, not east-west.
  2. They generate a lot of intrusion alerts, for some organizations up to 5,000 a day, which is much more than any SOC team can handle.
  3. They require constant support and maintenance – as sophisticated tools, they require a lot of work to configure and maintain them to get ideal results.
  4. They can’t contain network threats easily or effectively in all environments.


What do all these challenges really mean?

Let’s take modern SIEMs as an example. These solutions generally suffer from a number of constraints when used for security due to the typically large number of sources that must be ingested to thoroughly cover network traffic and hopefully, identify and investigate threats.

These large amounts of data can be counterproductive and lead to ineffective threat hunting and slow search performance. They can also be extremely expensive and increase ingestion costs. Any system that is dependent on data ingestion is only as good as the information it is provided. Too much of the wrong type of data will lead to increased costs and the number of false positives. Yet not enough of the right data and threats will inevitably be missed.

In addition, in the case of Splunk, resources must create query strings that define the question the SIEM must answer, which means it also defines whether the returned details includes the desired data. This is not a trivial task and requires a very special skillset to accomplish.

Typically, a SIEM’s works stops at investigating threats, and threat containment is handled by other tools. However, those tools have limitations in today’s environments. First, being firewalls, which can only block external sources from communicating inward. The second being endpoint detection and response (EDR) solutions, which make sense for devices under the customer’s control, but tend to be CPU-intensive and are very difficult to deploy in each VM and container. So, these surfaces tend not to be protected. For example, BYOD, IoT, and legacy OS devices in medical and industrial environments join this list of devices where EDRs don’t typically work.

So what’s the answer? We believe it lies in solutions that can not only accelerate security incident response and protect critical assets, but also improve performance of the security tools already in place.


How can ARIA Cybersecurity Solutions help?

We designed the ARIA SDS solution from the ground up to solve these challenges. The ARIA SDS Packet Intelligence application monitors all internal network traffic paths across an the entire enterprise. For every packet, NetFlow data is generated and directed to a security tool SIEM, or IDS/IPS, which not only gives a full view of the network traffic but also provides an effective way to find and stop threats earlier in the kill chain while also significantly reducing high volumes of ingest data. For companies with less CapEx or high monthly CPU charges, this lowers costs but also accelerates SIEM threat searches from minutes or hours.

Since it is situated inline with the network, ARIA SDS can be directed to intercept and stop specific threat conversations while keeping devices and/or applications online.  This can be done manually through SOC resources or automatically via SOARs leveraging ARIA APIs. Threats can be permanently blocked by implementing network-based microsegmentation enabled by ARIA SDS.

At the same time, and without performance impact, network traffic can be directed to a packet recorder, like our nVoy appliance. This works seamlessly with ARIA SDS, and it also gives SOC teams the ability to “go back in time” to further investigate a breach or potential intrusion.

Going one step further, our ARIA KMS or microHSM solutions provide key encryption to automatically manage the generation and distribution of encryption keys to handle all of the lifecycle requirements for key management. This supports Bring Your Own Key (BYOK) security models while providing the flexibility to meet specialized needs, such as software applications, hardened high availability appliances, or zero footprint PCIe adapters.

All of this may sound hard, and to a certain degree, it is. But in the words of John F. Kennedy, “We don’t do these things because they are easy – but because they are hard” (and necessary). If done right, they are very effective, very quick, and easy for security teams to use.

If you have responsibility for incident response, and need a better solution that costs less and is more effective than what you have now, you should start your research here.


About ARIA Cybersecurity Solutions

ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.

Tags: cyber attack, data breach, cybersecurity