In our last blog, we defined response. Here we will address the best way to respond to an event on your network.
I won't use the word "incident" yet because the first step is asking "what is it?" Your analyst needs to make that determination as quickly as possible. The longer it takes for an analyst to decide if an event is a security incident that needs escalation for threat investigation or if it is an application error that the network team should handle, the more time you give for an attacker to breach the network.
- Investigating what matters: scope the incident.
- You have an original insight that comes into your inbox in the form of an alert or detection. You will need to scope the event and understand its impact. What is the likely origin of this event, and has there been a lateral spread to other areas in the network? A requirement for success here is 100% visibility across your network—what devices are connected and what data is traversing the network both north-south and east-west.
- You need the context of the event in question to understand what came before and what comes after. You need correlation to understand how the event is affecting the rest of the network. What other systems might have been involved? How is the attacker moving around your system? How long have they been there? Where else have they been? Are they escalating privileges?
- You decide to elevate the event to an incident, now go investigate.
- The subsequent steps after determining that an event is an incident need to be informed by data and need to be supported by humans. Part of the subsequent actions might be some automated response, like an automated quarantine or shutdown to mitigate and minimize the impact.
- Your analyst has all of the data they need in one workflow, you have just reduced your investigation time and can get to the root cause to determine the right actions to respond.
- You really want multiple sources of data to inform your decisions and your assessment to help adjudicate an incident or an event, as well as to respond to it. You want to correlate all the information as much as possible and put together a timeline of what happened, what the impact is, and the extent of the impact.
- Automated response will only take you so far.
- Should your response be automated? There is no question that automation can save time and money. So responses can be automated, but with the caveat that the analyst has control over the threshold of what should or should not be automated. The level of automation in response all depends on how much risk an organization is willing to take by deciding to automate actions.
- Even if a tool like your EDR took an automated action or, if you are in AWS, automatically quarantined an event, that is not the end of the response. Organizations still have to do some interpretation of the events to determine what to do next. Experience has shown that organizations will automate some actions but want more control over the full response to a network event.
- Best-of-breed solutions integrated through APIs provide you with different levels of automation. For example: network detection and response (NDR) solutions can give you 100% visibility into your devices and, when integrated with an endpoint detection and response (EDR), you can automatically discover endpoints that are not protected and choose an automated response to install agents or manually investigate to ensure that it is a valid device.
- Manually respond first and then automate once you have certainty: the human element.
- More often than not, organizations want to have the control to identify the root cause, understand remediation options, and then manually remediate or fire off a script or orchestrate the remediation through EDR, NGFW, SIEM, or SOAR tools. For example, as in the case above, let's say your NDR solution has uncovered an incident and you have determined the level of threat warrants a response. Your NDR solution can make an API call to your NFGW or SOAR workflow to remediate the incident.
- Manual response includes investigation and forensics capabilities. If you can go from detection to forensics in a few clicks with a guided workflow you will reduce your response time. Manual response also includes threat hunting capabilities to look for emerging threats like ransomware attacks. ExtraHop's event-driven packet capture for forensics is a unique capability that doesn't require customers to turn-on "Always-On" packet capture forensics.
Actions to Improve Your Response:
- Define what 'response' means to your organization and select the right set of solutions that use APIs to integrate together to help you detect threats faster, give your analysts the intelligence they need to investigate quickly, and remediate threats before you suffer a breach.
- Improve coordination with other teams in the organization to accelerate your response. There is a real cost associated with broken communications. Bring together Security, Cloud and IT Ops teams to work together on major incidents to improve uptime, availability, and security posture. When teams are working more closely together, you will not only streamline operations and experience a higher level of productivity, but you can significantly lower your overall risk.
- Investigate network detection response (NDR) as the missing link to coordinate your responses with intelligence. ExtraHop Reveal(x) 360 enables threat hunting across a customer's entire footprint from data centers, corporate or remote sites, and multicloud.
Coordinating the Response to Threats
The average time it takes to contain a threat after identifying it is 73 days according to IBM's The 2020 Cost of a Data Breach Report. Organizations are leaving attackers too much time to breach the network. You need the investigative support to correlate events and determine your response as quickly as possible.
The network provides a source of data that can't be tampered with or evaded. NDR is a passive solution, meaning attackers don't know they are being watched. By looking at the strengths and weaknesses of each solution, let's face it, there is not one vendor who can solve all your problems, and by choosing best-in-breed coordinated responses, you can improve your security posture.
When integrated with existing security solutions, NDR provides organizations with the best possible means to stop an attack. Consider the cyber triad, coined by Gartner, that explains using your network (NDR), endpoint (EDR) and log (SIEM) solutions together will strengthen your overall security posture. An example of this is the integration between CrowdStrike EDR and Reveal(x) NDR that offers a path to a stronger security posture, complete monitoring, and faster remediation of threats at the endpoint and on the network.
To see NDR in action, check out Reveal(x) for yourself in our online, no-forms-required demo.