Cambridge, Mass. - As the threat landscape continues to evolve, cybersecurity experts rely more on detection and incident response, making security a collaborative exercise. But, where do they start?
Many security executives used the MASSTLC Conference as a launching point.
Chris Poulin, research strategist of X-Force at IBM, said, "The problem is that it takes them understanding their environment. How much is too much data being downloaded or uploaded? SIEMs look at thresholds to understand policy and compliance, but they also have to have environmental knowledge. Users don’t typically up/download certain size files."
Understanding their environment requires the manpower that most enterprises don't have right now. So how does a security team gain an understanding of their environment when they are inundated with alerts and spending their days putting out fires?
"There are two concepts. Asset inventory and data discovery. Those two concepts are closely allied. They need to know what systems they have, what applications, who are the owners of those applications, who are the authorized users, and who has what rights to the applications," Poulin said.
Before applying policies, they need to first know their inventory and access controls. "What data lies on it? Where is the PCI data versus the source code data or financial data. They need to have situational awareness," Poulin said.
User behavior analytics, though in use for a very long time, have come into fashion in the last few years because of the scale at which machines are able to aggregate and correlate data.
"Security teams need to know the activities in their environment. How much data is transferred from your email server or the server that stores finance data or source code or whatever is most important to the business? Which users use those?" Poulin said.
Until they understand the patterns in their activities, they can't create rules and enforce that behavior.
Sure, in a smaller company, they might be able to identify the various thresholds of all of their users, but how do they do that in an environment with over 50,000 employees?
"Computers watch all these axes," Poulin said. The promise of machine learning is that the machines can ingest volumes a human can’t, but Poulin said, "It needs to be trained. It will always be reliant on a human for context. You feed it enough context, you tell it what context is, what data and the context in which it is happening."
As with any technology, though, machine learning is another one of the many layers in the entire security infrastructure. "It’s an additional layer on top of a SIEM that augments and helps to tune the system," Poulin said.
CISOs struggle with determining which of those layers are most important, and when there are so many layers that the technology becomes redundant or inharmonious.
Poulin said, "Perspective is everything. My personal philosophy is borrowed from a wood-working expression, 'measure twice cut once'. You need to have something to measure the information."
All they have to do to weed through the overgrowth is determine where the problem is for them--at the perimeter, user role management, data access? The problem for many who are feeling so overwhelmed and understaffed is that looming question, Where do I begin?
When Gant Redmon, vice president business development and general counsel at Resilient, an IBM company, and Paul Sheedy, assistant vice president, enterprise network security services operations at the Federal Reserve Boston, asked their audience what they wanted to know about, "Building Your Incident Response Plan" the audience responded with "Where do I begin?"
When it comes to incident response plans CISOs or CPOs are longing to know more than the blanket acknowledgement that they should have one.
Redmon said, "I often get asked, what does incident response technology look like and how do you turn run books into a collaborative exercise?"
In the early days of incident response plans, most people used spreadsheets or emails, but because the amount of data enterprises collect has grown exponentially, there are hundreds of things that an IR team needs to consider in developing a plan.
"The technology allows you to have a lot of diverse plans, like if this happens, then do that," Redmon said. More importantly, they need to be able to document that they understood the difference between incidents and events and that they are logging all events.
Collecting all of that information in one place is easier and more efficient, and Redmon said, "They have to have a place where people are communicating within the system."
Communication and monitoring at two important strategies that allow for more rapid detection, and "Detection is king," said Sheedy.
"You have to monitor and detect for anomalies," and part of monitoring and detecting demands collecting intelligence. By collecting intelligence, security teams will better know precisely how to build an effective IR plan specific to their business. Intelligence begins with looking at transactions.
When they monitor their transactions, they learn what normal is for their business. Anything outside of normal is an anomaly. "Begin with normal," said Sheedy. "What is the average transaction size? What is the average length of a transaction? Frequency?"
Establishing a baseline normal will help them detect more quickly those behaviors that are not normal, but people can quickly become overwhelmed and complacent, which is why Redmon said, "It's important to do simulations all the time."
Running table top exercises will also reveal gaps in the plan, revealing both what they know and what they don't know. "Stay calm. Never jump to conclusions," said Redmon.
When they come across something that they don't know, that is an excellent opportunity to assign a task. While someone is researching, everyone else follows the plan without getting ahead of themselves.
In order to make the best use of the table top exercises, throw some bombs into a simulation, then the team will find out what they don't know. That awareness of the unknown will inevitably unearth questions that demand answers.
"What are you allowed to do? We have to ask those questions," said Sheedy. "What are we going to do? How do you tell? What kind of system do you use? Can we shut down completely? Isolate? Route away? Disable certain transactions? What latitude do we have to make those calls?"
To start, choose one application and monitor the transactions of that one application. Develop the patterns that are normal, then move forward one step at a time. "Know your top applications, create run books, run simulations, then build your IR plan," said Sheedy.
As part of the plan, be clear about assigning tasks. "It's what I call feeding the cat. You assign one person to feed the cat. Otherwise, if everybody feeds the cat, the cat will die," said Redmon.
Be prepared to communicate, select points of contact, know when to engage with legal and/or law enforcement, and share threat intelligence because proper planning prevents poor performance. Know that the work is never really done, continue to practice and give life to policies as they will inevitably need to change.
This story, "Detection and response, where to begin" was originally published by CSO.