Your security team's primary goal is to stop threats before they breach the network. Obvious? Yes. And it is an oversimplification of the problem.
In a recent webinar, Improving Incident Response Time by 84%, guest speaker David Holmes, Sr. Analyst with Forrester Research, reported that in 2019, 52% of firms admitted they were breached in the prior 12 months. In 2020 that number increased to 59% meaning that close to 6 out of 10 organizations were breached.
In that same Forrester survey, according to Holmes, the top two challenges cited for both 2019 and 2020 were the complexity of the IT environment and the changing/evolving nature of IT threats (internal and external).
All of this data points to the need for network and security operations teams to reduce the complexity of their environments and to find ways to speed up the detection and investigation of incidents in order to respond to threats faster.
As network complexity increases with the digitalization of the network, containerization, connected devices, and multicloud deployments—visibility decreases. Additionally, with budget constraints and a lack of skilled analysts, there are just not enough hours in the day to meet the current pressures faced by security teams.
So what are the barriers to improving visibility, analyst efficiency, and resolving threats faster? How will you know if your in-house solutions will provide you with a return on investment—both in dollars and in time savings?
Top 3 Ways to Improve Incident Response Time
1. Improve Visibility: Assets, Cloud, Encrypted Traffic
Between a lack of network and cloud visibility and encrypted traffic, 70% of your environment is dark, giving an attacker free rein post-compromise. Despite the investment into multiple security tools, the customers interviewed for the Forrester TEI study of Reveal(x) revealed that their network security environments were still replete with gaps.
Holmes stated that his clients he works with cite the need for greater visibility in cloud projects as a top concern. You can't protect what you don't understand and greater visibility is needed to gain credible insights and stop threats.
Maintaining Security Visibility in the TLS 1.3 Era
The Forrester report published in July 2020, Maintaining Security Visibility in the TLS 1.3 Era, outlines changes in the works for the the TLS and DNS protocols that according to Holmes, will make it more difficult for almost all existing security controls. In this report, Holmes writes that if you "Fail to take any action, and within two years, you'll lose the ability to analyze network traffic and detect the cyberthreats that will endanger your organization."
According to the report, the reason you have two years to make changes is because the adoption of TLS 1.3 is coming faster than you think. Holmes explained the context behind that advice.
- TLS 1.3 is taking off faster than TLS 1.2 (TLS 1.2 grew at 10% per year for 6-7 years whereas almost 40% of sites today already support TLS 1.3.)
- When the report was published TLS 1.3 had no known vulnerabilities. Since then one has emerged, dubbed the Raccoon attack, which will accelerate adoption of TLS 1.3, despite the attack being of an academic nature and unlikely to be seen in the wild.
While the intent of TLS and DNS was to protect the confidentiality of the payload, it did not protect the privacy of where the user was going. The changes will require an understanding of the destination traffic and the only way to get that is from the metadata, which traditionally has never been hidden. Most security tools today will use metadata to decide if a connection is safe or not. With TLS 1.3 now encrypting metadata, the monitoring of encrypted data has been made more difficult.
The Forrester TLS report goes on to talk about unique techniques that attackers are using that, without the ability to decrypt traffic, you will not see. Matt Cauthorn, VP of Security Engineering from ExtraHop added, "If you don't do decryption you can't detect behaviors like an HTTP desync attack (aka HTTP request smuggling)." Holmes' advice was that anyone who has a visibility tool or is trying to provide threat intelligence needs to improve their ability to inspect encrypted traffic.
Increased encryption and the use of DNS over HTTPS represents an existential threat to a lot of the traditional approaches to monitoring. Matt went on to explain that how you get ahead of the challenge is to combat it with network data, machine learning (ML), and visibility. Visibility is the core of the solution, and the network is the mandatory building block.
2. Improve Your Incident Response
The network, including on-premises, virtual and cloud environments, has some properties that make it a powerful, covert source for observational behavior analysis:
- You can't evade the network
- You can't turn the network off
- And, it's extremely difficult to manipulate the network
According to Cauthorn, "The network is a powerful adjunct to your analysis strategy for your practice in the SOC, visibility and situational awareness that is observational by definition is one of the most strategic points of leverage for the SOC practice."
In the 2019 Forrester survey of security technology decision-makers mentioned by Holmes, respondents were asked what skills were most needed today. The results showed that security operations staff was number one, with malware analysis and reverse engineering coming in a close second.
Holmes expressed that having an alert is not enough—we need an action. With fewer security professionals, the systems we are building today have to be more efficient, include more automated responses, detect incidents faster and allow analysts to be more effective and able to pivot and provide an action when an alert is raised.
The bottom line is that when an incident happens, you need your team to respond quickly. In the modern era of network analysis you can get insights and extract features in real time, accelerate workflows, and increase the accuracy and velocity of insights to surface incidents and respond at an investigator's pace.
"We were spending a lot of time in our packet capture tool troubleshooting problems and threat hunting. It was very time-consuming. We needed something that would provide better analytics and be able to help us find problems more quickly."
SVP, global infrastructure, financial services
3. Greater Efficiency and Reduced Toolsets
The customers interviewed for the TEI study expressed that their previous workflows were too time-consuming because of a lack of visibility and an overabundance of security alerts coming from legacy solutions. Too much time was being spent troubleshooting and threat hunting. They were seeking better analytics and faster problem resolution which can be accomplished through tooling and improved team efficiencies.
The average enterprise security team has a glut of solutions within their hybrid environment, leading to another primary issue in SecOps: tool fatigue. This begs the question: are there overlapping features in your toolsets that could be retired in order to simplify? One customer interviewed for the report expressed that they were able to decommission preexisting security solutions and save up to $700,000/year.
Alternatively, what are the holes in your existing security tools where greater efficiency can be achieved? Cauthorn explained what he feels is a crucial concept regarding tooling your cybersecurity practice around three main solutions in the SOC that will provide 80% of the value you need as network data (NDR), endpoint data (EDR), and logs (SIEM). This has been referred to as the Cybersecurity SOC Visibility Triad and the way to improve your security posture by greater interoperability of the data.
"We had SIEM, but there were always holes in that information. We added EDR, and there were still certain bits of information missing. We didn't get the full picture until investing in ExtraHop Reveal(x)."
SVP, global infrastructure, financial services
For more on improving the efficiency of your team, please see this recent blog post, The Network, Security, and Cloud Blame Game, which is centered around how teams need to remove data and team silos to improve the speed and efficiency of the entire IT organization.
A Brief Note About the Cloud
Holmes shared that a common request he often receives is around digital transformation projects and the need for visibility into what is happening in the cloud.
Visibility in the cloud is critical and is best gained through passive behavioral network level analysis from the main providers, like AWS, GCP and Azure, as well as cloud-native services. From a network detection and response (NDR) perspective, you can deploy in the cloud and see cloud-level access from on-premises or federate views across multiple estates from multicloud into a terrestrial data center, and rationalize views to get comparison.
The Results: The Total Economic Impact of Reveal(x)
ExtraHop recently commissioned Forrester Consulting to survey our customers and find out the Total Economic Impact of ExtraHop Reveal(x) examining the return on the investment in network detection and response (NDR) will yield.
The TEI of Reveal(x) found an 84% faster time to respond to threats and an ROI of 165% as well as:
- Decreased time to respond from 9 hours to 1.75
- Decreased time to investigate unplanned outages by 92%
- Decreased time to troubleshoot applications from 40 hours to a matter of minutes
- Improved application uptime resulting in increases to both revenue and employee productivity