Why automation is the future of incident response [Q&A]
A security breach can lead to serious reputational and legal issues for enterprises. The speed and effectiveness with which they are able to respond to incidents is therefore crucial.
Larry Gagnon, senior vice president, global incident response at eSentire, believes that the way to address this is by greater automation incident response. We talked to him to find out more.
BN: What are the right questions to ask around incident response before you have a problem? Are there any areas to avoid or that you can waste time on?
LG: The implications of choosing the right incident response (IR) provider go well beyond the initial technical investigation. The very foundation of your defense in a future claim may rely heavily on the processes, findings, and deliverables provided by that IR team. The overall accuracy of the technical findings, and ability to competently defend those findings, are where the better IR providers shine.
Generally, you want to assess the IR provider's level of technical competence, industry experience, scalability, and availability. Additionally, we want to know whether their services are delivered in a manner consistent with industry best practices.
For example, how much time will elapse between the initial request for assistance and delivery of the contracted services? Similarly, what methodology will the provider use for threat containment, and suppression? Equally what do the deliverables look like, so you can be sure you can deploy them quickly?
You will also want to understand how well the provider can support you after the breach investigation, for example around testifying in legal cases and taking part in cyber insurance cases. There is also the personal side -- how does client communication take place and what do reports look like? If you can get an anonymized sample report, this can tell you a lot.
BN: What is the level of demand for IR today, and is it rising?
LG: The demand around IR is high today and will continue to rise. Partly, this is because there are just more successful security breaches taking place, but cyber insurance is another main reason for this increase in demand.
Companies want to ensure they can afford any heavy fines that come with the potential litigation following a breach, and they want coverage to get their operations back up and running. Cyber insurance is a no-brainer for these organizations as the insurance company will pay out to cover those expenses, as long as they follow the instructions of the cyber insurer. This will include a full IR exercise.
With more direct attacks, and more need for IR to cover insurance requirements around those breaches, the demand for IR will continue to go up.
BN: How much can you use automation in IR, and how does it complement manual expertise and understanding?
LG: The first step in IR involves knowing what has taken place and that involves looking at data. This starts with that basic triage level analysis, looking at standard groups of log files, registry artifacts and memory samples taken from the impacted systems. This process is becoming more standardized, and that is where automation can come in.
In this analysis phase, we look for common events or behavior associated with attacks -- imagine a user account suddenly logging into a domain controller to add a process on a Sunday, or an outbound connection to an unknown server based in Eastern Europe or China when you don’t have operations in those regions, starting early in the morning. When you can spot these kinds of outlier behavior, and better still detect them automatically, you can speed up that initial analysis phase.
This does not replace human analysis and insight -- you need that experience in order to really delve into the details and find the real issues. Automation cuts the amount of time it takes to get to the root of the problem. This reduces the overall cost of the engagement to businesses, as well as making it easier to fix the problems involved.
BN: How quickly should your IR investigations take place, and what does 'good' look like?
LG: Any IR investigation should take place as soon as possible. It can prevent more damage by bad actors if you can detect and respond early, and IR can also help you prove that you have dealt with all the problems associated with an attack.
If you have been in a situation where there is a security incident, then you will know that there will be so many people that want information on what happened, and how serious the issue is. This will include other internal teams, board members and those responsible for dealing with customers. There will also be external contacts that will need data from you, from industry and compliance organizations through to law enforcement. There might also be interest from the general public, if your company has a brand presence.
For us, we have redefined the gold standard with our four hour service level agreement to carry out that initial remote investigation and have the threat suppression in place. We use state-of-the-art network and endpoint sensors to get visibility and remote triage data for forensic analysis, and then carry out evidence capture, investigation and incident recovery. We support the incident response lifecycle end-to-end, prioritizing rapid deployment to stop an attack as well as threat eradication, root cause analysis and security enhancements to eliminate the chance for recurrence. The quicker you're on top of the problem, the better the outcome will be.
BN: How can you keep the business running as normal while an IR process is taking place?
LG: There are two models that you can take to get back to normal quickly and keep the business operating. The first is to use cloud services that are separate from the existing production systems or IT network. This should provide your staff with all their usual productivity tools, storage and collaboration tools, and help them keep working. Over time, you can bring over any data that has been tested and is known to be clean. This can be a good approach if your firm is smaller and you use common off the shelf applications.
The second model is commonly referred to as a greenfield rebuild. Your IT team can create a new Virtual Local Area Network (VLAN) and encircle this with your security solutions. You can then implement new, clean devices within this VLAN and get backup images installed. If you have a significant enough issue, you may need a complete rebuild from the ground up.
For enterprises and those companies that run large-scale internal applications, this second approach is normally required. You will have to scan and check all the data that you bring into this environment, but once these tasks are completed, you can get your operations back in place.
BN: What kind of post-breach services do companies need help with?
LG: After a breach takes place and the IR process is complete, there are further steps that you may have to think through. For example, if your company is regulated or has gone through a significant data loss, then you may need litigation support. This will cover how your company goes through the problems that it has had -- your IR data will be essential to demonstrate how the attack took place, as well as how well prepared your systems were before the attack took place.
This will normally include an evidence collection phase, where you have to manage how that data for litigation and investigation is put together. This can be a very sensitive process, depending on how much forensic analysis is needed and how big the legal issues will be.
Lastly, there will be the process for getting your business back to normal. After a big incident, your team may feel like they have been absolutely battered, but there will still be the job of getting things back and operational, and getting a strong security posture in place again.