Detecting And Responding At The Speed Of Business
A Siemplify Session From Our May 2020 Cyber Security Digital SummitAdd bookmark
Tim Condello, the global technology leader for Siemplify, details how to detect and respond to threats at the speed of business in this fun, informative 2020 Cyber Security Summit session.
It Only Takes Once
Enterprises work hard—some more than others—to remain safe from threat actors, but the reality is, breaches happen. A hacker only has to succeed once. Once inside, adversaries can compromise and exfiltrate data within minutes to hours, while detecting and fixing the breach takes days, months, or even years.
Moving the goalposts for security professionals to better align with their adversaries should be the north star of the cyber security industry. With this in mind, the industry came up with the “1, 10, 60” timeline. That is, detect in one minute, investigate in 10 minutes, and remediate in 60 minutes.
Enterprise network environments are only getting broader and more complex. Tim, then, isn’t surprised that 95% of respondents to the 2020 SANS Cyber Threat Intelligence (CTI) Survey say they don’t even come close to the 1, 10, 60 goal. Still, he doesn’t think the goal is unrealistic. “As we continue to iterate on our processes, as we continue to look at how we do things inside of the security operations center, I think we can get there.”
Identifying the problem is the first step to defining a solution. Tim lays out a few of the roadblocks in the way to a viable cyber security strategy.
- The steep learning curve to working in cyber security leads to a shortage of manpower. Not enough people are graduating with degrees that are pertinent to the field.
- There’s a lack of automation orchestration which is leading to too many alerts. No one vendor has a one-size-fits-all solution. The problem with this is that multiple vendors sending multiple alerts creates an information overload.
- Siloed vendor solutions and siloed enterprise departments also create a latency in the ability to understand and respond to cyber threats.
Tim lays out a five-step solution to increasing the velocity in detecting and responding at the speed of business. They are:
- Adopting a threat-centric approach
- Clearly defining your response process
- Leveraging automation and orchestration
- Collaborating and communicating
- Tracking and measuring
Multiple alerts from varied sources like EDR, IPS, etc. creates a myopic view of what’s going on. One specific alert only offers one part of the adversary’s process. Instead, Tim says, “What you need to be able to do is ensure that your tools are readily accessible by your security team so that they can look and understand across all of your products what's going on and take that threat-centric approach to ensure that they're adding context to what's going on inside your environment. Additionally, we need to ensure that we're building repeatable and scalable processes.” Improving on an imperfect process is far better than having no process at all. Building and defining a threat-centric process paves the way for leveraging automation and orchestration.
Big data and data silos are best perused by automation. Then, the human element makes decisions off of those findings. Threat actors bank on slow detection and response times, because there are too many places to hide. By understanding what resides in our environment and connecting it together through automation, we can efficiently and intelligently respond to an automation tool’s findings.
Communication plans in the way of incident responses are found in most cyber security strategies, and that is well and good, but what is lacking is communication within a security operation center. Communicating internally involves closing the disruptive loop of continual information or status inquiries. Instead, a communication plan ensures that information resides in a specific, accessible area where senior management and other key players can go and proactively retrieve it.
Additionally, a communication plan applies a specific meaning to a word. A “crisis” means something specific. Alerts and threats are labeled and categorized. Defining words means that everyone understands what is happening when it’s happening and can respond appropriately. It allows the team to act quicker, move smoother, and get ahead of whatever’s next.
Finally, Tim concludes, all of the actions that happen inside of the security operations center need to be measured and tracked. As Tim says, “By continuing to rehearse, by continuing to review the data that is captured within your security operations center, you can iterate on this. You can identify when you're being targeted. Furthermore, you can identify the most effective way to do that.”
Tim wraps up the discussion with a lengthy Q&A session to questions like, “How often should you conduct cyber tabletop exercises to make sure response times and processes are acceptable for your business?” and, “What security platform can we use to detect cyber threats?” amongst others. Also, Tim encourages anyone who is interested to check out Siemplify’s free community edition to help your organization work through the five steps.