5 Tips from the Front Lines of a Critical Security Incident

Here we go again. Stress levels are rising. Colleagues are in a panic and executives want answers now. Critical alerts suggest you’ve been compromised. The question is: Where did it happen? How did the attacker get in? Are any endpoints compromised? What’s the extent of the damage? What was stolen?

Sound familiar?

Security teams face these challenges daily as thousands of alerts flicker across their monitors indicating potential incidents. Tasked with reviewing and triaging these suspected incidents, analysts are unable to quickly validate whether an incident is real or not. They receive little context and they can’t assess the potential impact.

It can take days or weeks to investigate, retrieve and analyze data about a threat. Then, time-consuming manual processes slow things even more as you toggle data back and forth between multiple security solutions to analyze your entire fleet of endpoints. What’s the result? Analysts often miss the most critical attacks or detect them long after vital data has been stolen.

Avoid the panic. Ignore the knee-jerk reaction to remove the impacted system and reimage it. Chances are that one compromised machine is just the tip of the iceberg. Wiping it clean could alert the attacker and cause them to dive deeper into your network. A better alternative is to start with this approach:

• Evaluate the capabilities of your security processes and technologies
• Identify gaps and opportunities for improved efficiency
• Determine what solution(s) will best fill those gaps
• Get more from your existing security infrastructure

To help you get started, we’ve compiled five questions to help you think about how you can improve your incident response capabilities:

• What processes can you automate? For example, can you collect an endpoint triage package based on an alert you get from your next-gen network device? To effectively detect and respond to a security incident you need to gather and analyze multiple complementary data sources as one. Reducing the number of manual steps required to piece together data from multiple sources and streamlining these workflows will shrink the time it takes to detect, investigative, analyze and resolve an incident.

• What type of threat intelligence are you able to consume? Are you limited? Intelligence is critical to increasing your ability to detect and respond to an attack. Being able to consume threat intelligence in a broad range of formats increases your team’s ability to detect, prioritize, and successfully remediate threats.

• Can you quickly capture information from your endpoints to help triage an alert? Collecting and analyzing rich endpoint data can take hours or even days. And it often results in false positives. Automating these tasks is one of the easiest ways to improve productivity. If you can get an initial set of data such as running processes, open network connections or recently executed applications you can quickly validate the severity of an alert. Also, the benefits of detecting security incidents early in the attack lifecycle translates to lower costs associated with a breach and less complexity.

• Are you able to identify the source of an initial compromise or how an attacker moved laterally to other systems? Understanding what happened before and after an alert gives you visibility into the scope of the compromise. It also helps you perform a damage assessment by showing you what, if anything, was taken. Traditional forensic data is difficult to piece together and often incomplete. Advanced endpoint detection and response technology that records data enables analysts to quickly query and review past events. This provides visibility and context into what happened so you can fully respond and eliminate the attacker.

• Can you immediately halt data exfiltration and lateral movement or kill a process? Manual remediation is extremely time consuming and requires skilled analysts who are in high demand. Immediately stopping data exfiltration and isolating the endpoint decreases the time to resolve an incident and the risk of intellectual property loss. Implementing endpoint detection and response solutions, with system management capabilities, consolidates resources better and improves overall security hygiene.

Our initial recommendations will help you gain greater visibility and intelligence about your alerts so you can detect and respond faster to critical incidents. The end goal is to help your team detect the bad guys faster – before they steal your important data.

-Jennifer Bielski, Product Marketing Manager