When the Boundary Isn’t Enough: Accelerating Discovery, Investigation and Response

Depending on which study you are citing, anywhere between 50% and 95% of companies have already been breached. If you consider the money that has been invested in preventive security, that’s a major fail. Once the cybercriminals are inside, finding and stopping them must be a priority – and the faster that happens, the fewer the losses, both economically and in terms of reputation.

By taking very specific steps, you can significantly accelerate your discovery and response.

1.            Create a unified threat picture

Point solutions work well working alone, but they cannot determine connections between events. Not only that, more sophisticated cyber-attacks leverage the gaps between systems to create a phased attack. Instead of depending on multiple products addressing specific attack vectors independently, you need a system that allows point solutions to communicate with each other. Ensure the systems work together holistically, sharing information. This leads us to:

2.            Mind the gap

This particular step does require an investment of either money or development resources. Examine your current security infrastructure. Where are the holes? Prioritize your vulnerabilities so you can add systems that fill those holes – or invest in a single system that detects and investigates across your entire IT environment that can then combine and share information and discover the attacks that would otherwise fall between the cracks.

3.            Gather your data wisely

Trying to respond to every alert from every single system is one sure way to guarantee that sophisticated breaches will go undetected. The sheer volume overwhelms your cyber analyst team quickly, rendering it ineffectual. Most technologies allow you to implement alerting and reporting rules. Take the time to create tipping points for security notifications so your team does not receive every alert, and invest in a solution that intelligently cross-references alerts to confirm or refute anomalies.

4.            Think AI

Artificial intelligence, machine learning, security analytics - whatever you call it, it’s critical to today’s security environment. Even with a rules-based system, false positives are more common than not. By adding in analytical component that tries to mimic the behavior of an analyst, you can ensure that more and more false positives will be eliminated and your security analysts will receive only the most relevant cases to investigate.

5.            Streamline your forensics

Confusing forensics tools are another issue that’s going to slow down your investigation process. Most likely your forensics tools are sitting unused until your incident response consultants can be brought in. If you have your own forensics team, they are probably overwhelmed with the volume of data within the system and cannot find the right information they need. Organizations need forensics solutions that deliver exactly the data necessary to understand a specific alert, incident, and ultimately the full attack storyline.

6.            Strengthen team communications

Your system is only as strong as your weakest link, which is why communications among your analysts is most critical. Your security personnel work in shifts, and the person taking over the next shift must be aware of exactly what the current threat status is and what has been achieved during the previous nine hours.  Solutions that make it easier to document, report and share information are critical to accelerating investigations and concluding them successfully.

7.            Learn from your discoveries

Once you discover a threat, be sure to block it across all of your security solutions to prevent similar attacks. Take advantage of automated response if it is feasible in your organization, or a ticketing system if it is not. Share intelligence with other organizations to help the industry fight cybercrime.

8.            Get automated

 When adding new tools, seek out products that have a significant level of automation. The more your security system can do automatically, the more your cyber analysts will be able to focus on the critical incidents. Don’t settle for solutions that merely automate the most routine, simple tasks. Look for ways to automate the complex cyber investigations that are taking up the lions’ share of your teams’ time.

What’s Hot on Infosecurity Magazine?