In cyber-security, the greatest challenge is often visibility and having the capability to generate a history of activity across a wide spectrum of connected assets and users. In short, as a cyber-security pro, you can't fight what you can't see, and you can't find the root cause of problems when data is missing
When battling and cleaning up after Advanced Persistent Threats (ATPs), ranging from malware and ransomware to other destructive attacks, enterprises need a heightened ability to detect, view and investigate using forensics. They also must be able to rapidly react to advanced to penetration on the most popular operating systems, be it mobile, desktop, cloud, VMs — or containers and microservices.
Visibility has to be pervasive. Today the cloud has become a major attack path. According to recent research from Microsoft (the security intelligence report - SIR), there has been an upsurge of 300 percent on cloud account attacks from 2016 to 2017.
Considering the enhanced breadth of security threats, security operations staff, whether they're part of a CISO organisation or embedded within IT, will benefit from using a comprehensive systems and security operations platform to detect attacks and zero-day exploits, to uncover the full scope of a breach, and to quickly respond to attacks.
Six point checklist
Do your security teams have these enterprise-wise forensics capabilities?
1. Continuous, rich data collection and storage from every managed endpoint including systems, user behaviour, network connectivity, application, binary, and process data?
2. Single source of truth visibility into every asset – laptops, desktops, servers, VMs, containers?
3. Continuous device state and behavior monitoring; real-time issue, threshold, and threat based alerting and ticketing?
4. Actionable data from threat feeds, whether open-source or commercial?
5. Advanced threat detection and hunting capabilities across Windows, Mac, and Linux systems, including client devices, data center, and cloud?
6. Capabilities for deep binary/file analysis and sandboxing of suspicious packages?
Spotlight on forensics
In the cyber-sececurity arena, forensic analysis is mostly performed as part of a scheduled compliance, legal discovery, or law enforcement investigation.
Forensics provide a comprehensive understanding of a breach with remediation. Specific and deep forensics data accelerates the identification and mapping of an attacker's lateral movements, and provides retroactive reporting and alerting on all systems that have exhibited identical or similar behaviour. Most importantly, forensics can identify the root cause of an issue to help close the gaps and stop future attacks across the entire environment.
The capability to conduct a six-month review of activities that have occurred on an endpoint, such as a desktop, smartphone, server, or virtual machine, is crucial to knowing what has occurred and how an attack has taken shape, and to evaluate the potential for harm to other places or users throughout the IT infrastructure. This is why security systems should store a minimum of half a year's worth, if not more, of robust forensic data storage. Forensic analysis is a central discipline that can leverage the same tools and related data sets as incident response management, and then go beyond it.
A thorough forensic investigation allows the remediation of all threats with the careful analysis of an entire attack chain of events. For this purpose, forensics research requires strong log analysis and malware analysis capabilities. While interactions for threat containment are performed with other security and operations team members, forensic analysis typically requires interactions with a much broader set of departments, including operations, legal, HR, and compliance. This is when the attack transcends from a technology problem to a business problem, with repercussions ranging from lawsuits to a loss in reputation among stakeholders, such as investors and customers.
Following the storm of serious global cyber-attacks over the past year, it is widely understood just how damaging not having a well designed approach to security can be for enterprises. Only when IT departments, SecOps teams and the enterprise as a whole take a “systematic” approach to security that incorporates complete visibility and deep forensics for prevention, to go along with the other critical functions of cyber-security defence, can the challenge be overcome.
Contributed by David Shefter, chief technology office, Ziften Technologies.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.