Threat detection and response: while it sounds simple enough, it actually involves an enormous variety of technologies and systems - endpoint, network, automation, orchestration, visibility, remediation and more. All play key roles during the process between initially detecting a threat and responding to it in the fastest, most efficient and educated way possible.
Deploying threat detection and response can be overwhelming and confusing. So many different approaches claim to deliver the same results. So how do you choose the right one? What key capabilities should you be looking for?
Some organisations have already deployed detection and response solutions but saw little positive impact. Their analysts are overworked and overwhelmed by countless alerts, multiple false-positives and partial visibility. If that sounds familiar, how can you improve the situation?
Cover your bases to achieve a successful detection and response solution. To eliminate or reduce your exposure to cyber-threats, be sure to cover all or as many of these 'success factors' as possible to help make your deployment more efficient and impactful.
1. Coverage - See the big picture: Make sure your solution detects threats across attack vectors, the attack chain, and the IT environment. Looking only at endpoints or just reviewing network traffic may be enough to eventually detect a threat, but it creates only a partial description of the series of events that occurred from the initial entry point of the attack to the ongoing malicious activity within. This partial view may also take you down the wrong investigatory path, slowing your response, or may even send you in the wrong direction.
2. Continuity - Investigate leads not just once, but over time: Advanced attacks are a series of ongoing events that must be part of a continuous analysis. To refute or confirm leads, you need to acquire more meaningful information, often over a period of time. For example, data regarding an infected endpoint combined with the information it tried to extract and the server it communicated with a week later, will go much further towards understanding and stopping advanced attacks.
3. Context - Don't analyse information in isolation: Forensic information means very little when it's isolated. You need to collect forensic evidence and present it within the context of the incident storyline for better understanding. Along with Coverage and Continuity, Context delivers a more in-depth and accurate picture of the incident so you can remediate it thoroughly.
4. Clarity - Ensure that your solution delivers actionable intelligence rather than thousands of alerts: your ultimate goal, after all, is to stop the threat. Employ methods that provide detailed recommendations for what can be done (what should be isolated, deleted, or investigated more deeply), present clear evidence backing up the recommendations, and include built-in tools to contain threats quickly and easily.
5. Collaboration - Share the info: This is fundamental to any team's ability to respond. Look for ways to turn alerts and data into clear, visual storylines that are self-explanatory and documented so they can easily be shared among job roles and shifts. Enabling multiple analysts (or even just two) to work on the same incident requires a record of who did what and which investigative steps have already been taken. This alone can save up to 50 percent of investigation time.
6. Coherence - Turn all these capabilities into a seamless process: Last, but not least, you need a system that works holistically, compiling a single picture across attack vectors and parts of the organisation, everything from reviewing detected threats to carrying out a full-blown investigation.
By adopting these six Cs, you achieve far greater ROI and improve security. When your threat detection and response solution can identify threats efficiently across the entire threat life cycle without adding to the burden on your already strained security teams, you will have achieved a significant return on your investment.
Contributed by Noam Rosenfeld, SVP, cyber intelligence solutions, Verint Systems Ltd.