About a month ago, I reported on a study from Ponemon Institute and AccessData that revealed that most companies are doing a poor job when it comes to detecting and effectively responding to a cyberattack. As Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement when the report was released:
“When a cyber-attack happens, immediate reaction is needed in the minutes that follow, not hours or days. It’s readily clear from the survey that IR processes need to incorporate powerful, intuitive technology that helps teams act quickly, effectively and with key evidence so their companies’ and clients’ time, resources and money are not lost in the immediate aftermath of the event.”
AccessData’s Chief Cybersecurity Strategist, Craig Carpenter, has been looking at this problem in some depth. We aren’t totally clueless on why these attacks are able to cause tremendous amounts of damage, both financial and reputational, to companies. For example, as information about the Target breach continues to trickle out, we have a pretty good idea of how and why the incident occurred. Our concern now, Carpenter said in a blog post, is fixing these problems. The key, he said, is prioritization and improved integration. In an email to me, Carpenter provided a few steps every company should take to prevent a “Target-like” breach in the future:
- Utilize integrated threat intelligence to get full visibility into potential threats, in near real-time. Integration of endpoint and network visibility, he said, as well as data from past incidents, gives the user a holistic view of suspect code and threat actors allowing the small amount of relevant alerts to be separated from the large amount of “noise” coming out of the various feeds.
- Employ tools that automatically initiate a forensic investigation including confirmation of a compromise, capture of key forensic data, and comparison to known indicators. This saves the user precious time manually hunting for relevant data and he or she is therefore able to quickly assess the situation – increasing their effectiveness and efficiency.
- Automate the response to incidents based on the fact that many of the same steps need to be followed, regardless of the specific event. An IR system should be able to automatically isolate a system and communications with it, alert stakeholders and resolve the incident. These are common steps that should be taken at the first sign of any security event – even an unusual one that hasn’t been seen before.
- Hunt automatically along the network and endpoints to ensure other systems are not compromised, and automatically isolate anything that is compromised.
- Employ an automatic closed-loop threat intel ecosystem to integrate intelligence back into the system automatically – thus avoiding a compromise by the same malware or threat actor twice.
Staying ahead of cyber incidents isn’t easy. The bad guys are very good at staying one step ahead. But as Carpenter pointed out with these tips, IT and security staff need to be vigilant at all times.