Many organizations have some level of threat detection and incident response capabilities. But building out these capabilities to take a proactive stance against an evolving threat landscape is often expensive and difficult. It requires additional and significant investment in people, intelligence, technology, and analytics. And, you want to make sure that investment delivers full value.
As I outlined in my previous column, new Managed Detection and Response (MDR) services have emerged to help you achieve the outcome you desire – proactively finding bad guys that have infiltrated your infrastructure and stopping them as quickly as possible to mitigate damage.
Whether you are considering building these capabilities yourself, outsourcing, or pursuing a hybrid approach, talking to an MDR service provider can help you understand what’s involved. Here are five questions to ask:
1. What types of data do you use to detect and investigate incidents?
Log data, packet capture data, and associated metadata are important, but aren’t enough. In many cases we still aren’t able to answer even the most basic questions executives ask during a breach: what happened, who did it, what was the effect, and is it going to happen again? While more data is always better than less, you need at least three additional types of data to get a more complete picture. Attribution data (or contextual data) from sources such as Active Directory, DHCP or DNS will tell you who was doing what at that particular moment during the incident. You also need forensic data from inside of the potentially breached system to see if it exhibits signs of being breached. Physical security data can offer additional contextual information, for example indicating if the person was in the office at the time that an incident supposedly occurred. As more IoT devices come online, a fourth type of data source is emerging: sensor data. Sensors abound in IoT devices, detecting and responding to input from the physical environment, like sudden spikes in temperature or speed readings, providing additional clues to help detect and investigate incidents in new ways.
2. How do you store, manage, and analyze this data to hone in on actual threats?
Many organizations rely on traditional SIEMs to store data and run simple, real-time, rules-based analytics. This works for providing insights into activities at a point in time, but most attacks are more subtle and may unfold over weeks or even months. The ability to consider more and varied data types over a longer period of time offers richer insight as to who the attacker was, what malicious activities were performed, and how to remediate the threat. Newer big data platforms overcome the limitations of traditional SIEMs and provide the ability to keep up with the volume, velocity, and variety of data while conducting more sophisticated statistical and machine learning analytics. Statistical analytics can help identify outliers while machine learning establishes what “bad” looks like and searches for similarities and patterns instead of engaging in the time-consuming and often fruitless chase for the exact match. At a minimum, these types of advanced analytics help guide and even automate threat hunting for faster detection, which can otherwise be prohibitively labor-intensive, time consuming, and expensive.
3. How do you deliver actionable insights?
It’s not enough to escalate alerts. At the end of the day, you want cogent and solid recommendations for acting on confirmed threats. That is predicated on having a deep understanding of the business. For example, if the recommendation is to block some sort of activity, you need to have a high degree of certainty that the block will not have adverse business effects. Otherwise it isn’t truly actionable. You also need a depth of information surrounding the attack. For instance, is a simple AV scan enough to stave of malicious activity or do you need to completely reimage the entire machine? Intelligent action flows from actionable insights.
4. How do you measure success?
Traditionally, the metric for success has been the time to respond to tickets or alerts, but this leads to the bad behavior of escalating spurious alerts as the time specified in the SLA runs out. This results in a high number of false positives – wasting valuable time and resources. When the goal is to proactively detect and respond to incidents, then the focus shifts to fidelity, or accuracy. You need to have confidence that you are focused on serious threats and taking the best course of action to remediate the threat. Fidelity requires more time, data, and context around a threat; better collaboration among a team of analysts with the right skill sets; and an emphasis on post-incident analysis to identify areas for improvement.
5. What are the skills sets required for threat detection and response?
To deliver high-fidelity intelligence and response, you need a team that consists of individuals with four primary skills: technical skills to use and understand key security technologies; problem-solving skills to determine what is happening with limited information; communication skills since we often find out about potential events through word-of-mouth from normal users; and collaboration skills that incorporate different perspectives and lead to richer insights. Finally, the ability to deliver trustworthy advice requires that each team member also have experience gaining a deep understanding of the business so that they can prioritize incidents and make recommendations that take into account existing workflows and critical business operations.
Whether you decide to outsource some, none, or all detection and response responsibilities, you need to move forward with your eyes wide open. The outcome that you care about – proactively detecting bad guys before they do something nefarious – isn’t easy to achieve. But by asking these key questions you can understand
what’s required to proactively detect and respond to today’s malicious and complex attacks.