Guest Blog by Richard Stiennon, Chief Research Analyst at IT-Harvest
Reaction times are everything. Anyone who has had a near miss while driving on the highway knows that quick reflexes can mean the difference between a good story and a very, very bad day. Reaction time is beginning to be a key metric in cyber incident response too. We know what poor reaction time looks like from recent surveys and extreme cases like Nortel Networks, which never reacted to a serious incursion that lasted over ten years.
A link to Richard Stiennon's industry analysis firm, IT Harvest, can be found here
The cutting edge of cyber defense today is all about recognizing that a determined attacker will get in. Steps must be taken to detect that incursion, analyze it, and shut down the attack before data is lost or damage done.
We are still in the early days of incident response technology. Vendors are approaching the problem from all angles. Network behavior monitoring, end point detection, beaconing detection, and machine learning are all being applied to the problem. Ingesting threat intelligence feeds and comparing it to network metadata, full packet capture, and firewall logs is usually part of the solution. Honeypots are even seeing a new life as deception products that can slow down an attacker and provide custom intelligence about their methods, means, and intent.
Most, if not all, incident management strategies involve mining huge databases of logs, alerts, and network traffic, to look for anomalous activity. The most advanced security operations centers employ experienced (expensive) data analysts to formulate the queries and perform the forensics to answer the questions: What happened? When? How should we respond? And how do we prevent future attacks like this?
Gone are the days when better correlation is the answer. SIEMs alone are not enough. Analysts must have the tools to quickly mine data, link interesting incidents, draw inferences from disparate events, and keep track of their investigations. With these tools they can shorten the “Mean Time to Know” (MTtK) or the time required to figure out what just happened.
With powerful link analysis capabilities, like that used by law enforcement agencies to track terrorist activity, an analyst can speed incident response efforts by providing great contextual knowledge about how data relates to each other via Linked Data Models. An analyst can decrease MTtK by using these techniques to investigate incidents.
This level of analytic capability is often only present in organizations with mature cyber defense operations, but every organization has to ramp up to this level quickly. Time is short because attackers are beginning to recognize that they have to accelerate their own operations. As incident response gets better, they realize that the old days of methodical shift work are coming to an end. Scoping, reconnaissance, probing, and delivery of malicious payloads are all things that have been done in a leisurely fashion in the past. Month-long sequences have been shortened to days and to hours.
Attackers will very soon realize, perhaps by late 2015, that they have to up their game. They will start to use automated attacks and launch autonomous malware packages (remember Stuxnet?) against their targets. Defenders are going to have to accelerate their responses times by incorporating tools that help them to link disparate events, infuse context into observed network behavior and quickly analyze what is happening.
The Stuxnet pathway, mapped visually.
If your typical time to know is measured in days (or worse!), you have work to do. Incorporating link analysis and ingesting security intelligence is the first step to improving incident response times.