Did you know that incident response teams are detecting, containing and remediating incidents much faster than in 20171 ? The SANS Incident Response Survey indicates that 10% of respondents were detecting breaches within an hour2 . Yet, this is an hour that an adversary spent on your corporate network, exfiltrating data and wreaking havoc.
Our adversaries work at machine speed while defenders continue to work at human speed. That’s multiple orders of magnitude ahead of human speed. Yet, many companies are not ready to discuss implementing automation tools. In an ideal world, we talk about orchestration as the highest level. The soup to nuts approach; where we identify, resolve and document everything. Most companies though, feel there is always a need for the human touch. Truly letting tools operate at machine speed…well, many companies are not ready to do so.
Remediation through automation
Nobody feels they can just trust a system. What’s so prescriptive about automation?
- We set the criteria. If the criteria are met, take this action. These are very purposeful steps towards automating things that you know are not correct in your environment.
- Then, document actions from a change management perspective. Keep track of actions from an auditing and accountability perspective. Great tools even allow you to email Help Desk tickets and other items to change tracking tools, so you’re always auditing and capturing evidence.
How does this impact the incident response process? It gives the response team a very high certainty that the potential negative impact of business is approaching zero percent. This doesn’t replace human decision-making, rather it supplements the user’s ability to define and adapt to risks and handle threats in an automated, fully orchestrated way. As a business you’re no longer super crippled with your hands tied behind your back against this attacker because you’re operating at human speed everywhere, and they’re operating at machine speed everywhere. You’re starting to use machine speed where you can and without introducing potential negative impact to the business.
Response without hurting the business
If your company is among the 18% who could easily identify the threat actors in an incident or breach, congratulations! That means that over 82% of companies in the survey could not confidently identify threat actors and could possibly suffer a breach from the same actor 3. This is where visibility comes into play. Basic visibility in a passive mode, uses a discovery technique that inspires confidence in knowing all the devices that exist on your network and where the sensitive data is stored. In this passive discovery, it’s all about the policy. You decide how advanced you want to make it. How far do you want to push into that automation phase? No need to rip and replace. It’s all about preserving the business and its ability to continue to function in the ‘business as usual mode’. Remediation and recovery can also be automated without hurting the business. We can take those baby steps in the automation of the policies and fix things that are broken. For example, your audio/video gets updated, you install the Microsoft patches that you need. It doesn’t hurt the business, it actually greatly improves the business risk perspective.
When the incident becomes a breach
The SANS Incident Response Survey showed that the largest number of respondents had a “time to detect” between 6-24 hours, “time to contain” of 2-7 days and took roughly 2-7 days to remediate4 . How do we accelerate the incident response to get to machine speed? The obvious answer is if I can identify faster, I can contain, remediate and recover so much faster.
What’s the definition of a breach? It is a really bad incident. An incident can be a minor thing, but a breach is essentially the compromise of reportable data – patient health information, credit card information and other forms of confidential data. Increased awareness definitely shortens the investigation cycle on the breach component.
If there is a regulatory requirement to report a breach within 72 hours, you must be in a position to know the breach existed! You must be able to start off the investigation to say, “The last known configuration state of the device is X. The last known user logged in is Y.” Evidence like that is critical. It’s important to have real-time data that feeds and enhances the system of record like a CMDB, or a SIEM type of long-term aggregate device or system. The contextual evidence and information that Forescout captures and maintains about an environment becomes critical in the investigate phase. When you’re looking for evidence you can have higher confidence in the data.
The good news is that many companies are starting to plan and budget for automation. Over 50% of organizations surveyed by SANS, said they plan to spend on automating the remediation process 5. Who knows? Next year’s survey might show that defenders will have closed the dreaded gap, responding more at machine speed and finally conquering the bad guys!
To learn more about the current challenges, trends, and environment affecting incident response teams read the 2018 SANS Incident Response Survey Report here..
1https://www.sans.org/reading-room/whitepapers/incident/paper/38660
2https://www.sans.org/reading-room/whitepapers/incident/paper/38660
3https://www.sans.org/reading-room/whitepapers/incident/paper/38660
4https://www.sans.org/reading-room/whitepapers/incident/paper/38660
5https://www.sans.org/reading-room/whitepapers/incident/paper/38660
