Most Organizations Have More Intelligence Than They Know What to do With..
We’re finishing up the holiday season and at this point most of us have spent more time than usual at family gatherings. Let’s be honest, while often enjoyable, they can also be trying. Depending on who is in attendance, the location and duration of the event and the occasion, we resort to avoidance techniques like going for frequent walks around the block, dodging certain topics of discussion, taking deep breaths, staying in a hotel or some combination. By understanding as much as we can about those who will be at a specific family event, we can make better decisions about how to approach it. We turn to methods that have worked in the past to decrease the stress and maintain family harmony.
If you think about it from the perspective of a security professional, the same basic process applies to containing security incidents. It’s all about situational understanding and experience. In security, we enrich data with context for a deeper understanding of an event and apply learnings to limit or stop damage. But how fast and effective are our containment efforts, and how could we do better?
According to the 2018 SANS Incident Response Survey published in October 2018, 40 percent of organizations take more than a day to respond to incidents. We all know that by then much of the damage is likely done as exfiltration is typically measured in minutes and hours. Perhaps more troubling, 44 percent report that they have been breached by the same threat actor at least twice, with 34 percent saying either the same or similar tactics, techniques and procedures (TTPs) were used. The remainder state that different TTPs were used, but they may have limited visibility and missed certain indicators the first time.
These gaps aren’t due to a lack of intelligence. Most organizations have more intelligence than they know what to do with. They have multiple external threat data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. On top of that, each individual product within their layers of defense has its own intelligence in the form of log and event data.
What’s lacking is a way to aggregate all this data in one manageable location where it can be translated into a uniform format for analysis and action. You also need the ability to augment and enrich this data automatically with internal intelligence – alerts, events and associated indicators from inside your environment for context. This provides understanding of the who, what, where, when, why and how of an attack, so you can prioritize and take the right actions faster.
Internal intelligence also comes in the form of human intelligence, not just data and alerts. Human intelligence provides an opportunity for intuition and learning. And if we collaborate, the learnings can be better and faster versus recreating the wheel. In the security world, if security operations center (SOC) analysts and the incident response (IR) team work together, we all can get better. Add to that collaboration with other teams and there is a multiplier effect. The challenge is that most security operations and response efforts are rife with chaos as teams act independently and inefficiently using siloed technologies.
What’s needed is a single shared environment that fuses together threat data, evidence, actions and users in real time so that teams can collaborate. Everything is documented and remains a resource for future reference. The IR team can see what has been done in the past when faced with a similar threat, and can use that knowledge and experience to contain and remediate faster.
Such an environment also allows the IR team to respond more comprehensively. When new vulnerabilities or indicators associated with a specific threat actor or campaign are discovered, they are added to the environment. As the IR team investigates an incident and works on a response, they can incorporate new knowledge of related indicators. With visibility into more TTPs, the IR team can identify threat actor data with greater confidence and scope, contain and remediate more thoroughly to prevent repeat attacks.
We dig deep to keep harmony in the family. Chances are we have the same depth of resources available to dig deep in security, reducing time to containment and repeat breaches. We just need to tap into those resources – our universe of external and internal intelligence – and make them accessible across teams, so we can bridge gaps and share learnings for faster, more comprehensive containment.