Why modern cyber attacks require a multi-step plan
The world is once again reeling from a massive ransomware attack that either severely impacted companies’ operations or caused them to take a closer look at their ability to identify, contain and remediate these incidents. As attacks on enterprise networks grow more common and complex, incident response (IR) teams and security operations centers (SOCs) grow increasingly besieged: 44 percent of security operations managers see more than 5,000 alerts every day, according to the Cisco 2017 Annual Cybersecurity Report. Due to the staggering volume, organizations only investigate 56 percent of these alerts, and remediate less than one-half of the actual threats they receive.
Clearly, cybersecurity managers and staffers are overwhelmed. That’s why they must work with their leadership to come up with a multi-step process to effectively monitor, identify and eliminate threats. With this in mind, we’ve developed what we call an "IR Hierarchy of Needs" to empower SOC and IR teams:
The right people, processes and tech. We all know that the hiring market for open cybersecurity jobs is brutal: The global workforce gap for the profession is expected to grow to 1.8 million vacancies by 2022 -- a 20 percent increase compared to 2015, according to research from Frost & Sullivan, the Center for Cyber Safety and Education and (ISC)². But a strong incident response plan requires far more than simply bringing aboard skilled people in a tight market and assuming that good things will happen, because they won’t -- especially if IR/SOC teams don’t have the proper processes and tools in place to do their jobs.
Processes determine the appropriate way to monitor threats, and how to respond to various types (whether malware through email, web surfing, etc.). The tools must cover the range of attacks that organizations encounter, i.e. "We’re getting lots of phishing emails … Do our tools enable us to capture these?" If not, then the needed processes do not align with technology capabilities -- and this is a problem that the best and brightest cybersecurity minds can’t resolve if their employer isn’t willing to invest in the right solutions.
Collaboration through workflow. Again, well-thought processes will make this possible. When team roles and resources are communicated clearly throughout the enterprise, efficiency and effectiveness improves greatly. Without this, for example, you could have a team member in New York spending 45 minutes investigating the same suspicious email that another team member from Chicago already spent a half hour on. Neither member knows what the other is doing, and that’s a waste of time with duplicated efforts. Through complete awareness and transparency into what everyone is doing -- and how they are to proceed -- SOCs avoid this.
Visibility. It’s critical to have total -- and accurate -- visibility of the network and all systems, with real-time information that teams analyze to determine network and app activity. Technology capabilities prove essential here, because you can’t identify what you can’t see. It’s like the classic "a tree falls in the forest but no one is around to hear it" debate. Yet, in this case, the answer is unambiguous: Without technology-enabled visibility, a threat will exist and it will cause trouble. And that’s because you never saw it.
Automated Containment and Investigations. Most security teams are overwhelmed by alerts, and 93 percent are unable to triage all relevant threats, based on the December 2016 McAfee Labs Threats Report. It’s no wonder then that 57 percent of organizations have adopted incident response automation and orchestration solutions while another 36 percent are currently engaged in an IR automation and orchestration project or plan to initiate one in the next 24 months, according to research from Enterprise Strategy Group. Automated identification and containment isn’t enough, however. You need context as well for investigations. For example, if you receive an email phishing alert from what looks like a retailer, you want to know immediately whether the email’s domain is legitimately associated with the retailer, or whether it’s more likely a ruse from a potential hacker. If you conclude that it’s a hack, then your automated products should tell you how many users are receiving it and what kind of damage it can do.
Automated Resolution. Obviously, after identifying, containing and investigating a threat, you want to get rid of it. But you don’t want automated solutions that will quickly and forcefully delete emails or shut down computers, because human insight matters here. Sure, automation exposes certain "bad things" that are unquestionably attacks. But others are less certain. A suspicious internet link that your CFO called up, after all, may have a perfectly legitimate, business-focused purpose. Given this, automation must allow for human intervention, so you’re able to contact the CFO and ask them about the online activity. Otherwise, you’ll shut down computers and block emails for reasons that prove unfounded, disrupting business while losing credibility with impacted users.
As indicated, IR teams are taking on a lot these days. They could use some help. Fortunately, "help" doesn’t necessarily involve investment into a long list of costly solutions. By aligning your human assets, processes and tech capabilities to address the aforementioned "IR hierarchy of needs", you’ll significantly reduce pain points while providing greater structure, visibility and, of course, security. Ultimately, it will give team members the sense of stability -- and peace of mind -- that they seek.
JP Bourget, Founder and Chief Security Officer of Syncurity, has more than 10 years of experience in cybersecurity. With a passion to bring solutions to cyber security teams that saves time and makes life easier, JP works with Syncurity’s customers and market influencers to drive adoption of the company’s flagship IR-Flow platform. Prior to co-founding Syncurity, JP was a Network Security Manager at a $200 million global manufacturing company, where he redesigned the enterprise network, systems and security architecture from the ground up to better align with business needs and uptime requirements. He also previously served as an adjunct professor at Rochester Institute of Technology, teaching undergraduate classes in Network Security and Forensics.