I’ve been focused on security analytics for several years, and spent a good part of 2015 investigating technologies and methodologies used for incident response. Based upon lots of discussions with cybersecurity professionals and a review of industry research, I’ve come up with a concept I call the incident response “fab five.” Enterprise organizations with the most efficient and effective incident detection and response tend to establish best practices and synchronization in 5 distinct areas:
This centers on understanding the state and activities of host computers. Host monitoring tends to concentrate on Windows PCs, but may also include oversight of Macs, Linux, servers, and even cloud-based workloads. Historically, host monitoring was based upon log collection and analysis but SOC managers are also embracing open source EDR tools (i.e. GRR, MIG, etc.) as well as commercial forensic offerings (i.e. Carbon Black, Countertack, Hexis Cyber Solutions, Guidance Software EnCase, RSA Ecat, Tanium, etc.). The trend is toward collecting, processing, and analyzing more host forensic data in real-time.
Beyond network logs, I see leading-edge organizations collecting and analyzing a combination of flow and PCAP data. Think of technologies from Arbor Networks, Blue Coat (Solera), FireEye (nPulse), Lancope, and RSA (NetWitness). Once again, the ability to get the data you need in real-time matters a lot. Note that this activity tends to require the ability to decrypt, process, and route encrypted network traffic as well.
Strong CERT programs collect, process, analyze and correlate external threat intelligence and then compare it to what’s happening inside the firewall. In this instance, threat intelligence includes open source, commercial feeds (i.e. iSight Partners, Norse, Symantec DeepSight, etc.) as well as intelligence from static/dynamic malware analysis. Leading organizations have developed or purchased threat intelligence platforms to deduplicate, correlate, and normalize external threat intelligence and tend to be further ahead with threat intelligence standards like STIX and TAXII.
User behavior monitoring
Top incident responders keep an eye on user actions looking for insider threats and identity theft. This area is probably the most elementary right now, usually based upon customized dashboards/tools that pull data from Active Directory, authentication tools, system logs, and MDM systems. I believe we’ll see a lot of adoption of more automated User Behavior Analytics (UBA) tools this year from vendors like Exabeam, Fortscale, Gurucul, and Securonix.
Clearly, large enterprise organizations are basing incident detection and response activities on massive amounts of data in order to gain situational awareness and take the appropriate remediation actions. Unfortunately, doing so isn’t very efficient when IR depends upon an army of independent tools and reporting engines distributed throughout the network. Enterprises are addressing this with IR automation and orchestration by building their own runbooks/workflows, tapping into software APIs, writing scripts, or deploying commercial IR platforms from CyberSponse, Invotas, Phantom Cyber, Resilient Systems, or ServiceNow. I also expect a lot of IR automation/orchestration activity in 2016.
One final observation: Many organizations continue to back-end IR processes with SIEM tools (i.e. IBM QRadar, LogRhythm, Splunk, etc.). In many cases, SOC teams are highly-skilled with these tools and often use them to aggregate IR data, triage events, and train junior analysts.
To improve IR in 2016, CISOs should make sure that they have a strategy for coordination and progress in all 5 areas.