It’s become widely accepted that security incidents are inevitable for any organization that has valuable data. Detecting security incidents early in the attack lifecycle is vital to reducing risk, yet most security breaches go undetected until it’s too late, and an outside incident response team is brought in to assess and remediate the damage. Why is this so?
The answer is that signs of an initial attack can be stealthy and difficult to differentiate from the noise of the day-to-day deluge of alerts. Most security teams lack the manpower, visibility and threat intelligence needed to quickly and accurately investigate the huge volume of alerts generated by existing security solutions. And not to be overlooked is the complexity of monitoring myriad mobile devices across global networks. Adding to the problem, many organizations have invested in a collection of on-premise and cloud-based security technologies, but may not be experiencing the full benefit of their investment due to poor integration, unnecessarily complex processes or unused functionality. Delayed response times and inaccurately prioritized alerts can then create gaps that attackers use to gain a foothold and roam freely across a network.
To address these challenges, the Rapid Detection and Response Model (RDRM) helps organizations accelerate their ability to detect, investigate and stop attacks by ensuring the organization is prepared from a people, process and technology perspective. The model is based on proven strategies and methodology used effectively on the front lines by top incident responders with deep military, government and cyber intelligence expertise. Designed to lower the risk profile of an organization and increase efficiency with measurable results, it advocates for the consolidation and integration of endpoint, log file and network visibility technologies. To accomplish this, the model comprises five steps designed in a feedback loop:
||Create situational awareness of the organization’s threat environment by identifying technology and process gaps that lead to blind spots
- Document existing security infrastructure
- Analyze capabilities of security technologies
- Examine operational processes
- Review detection and response metrics
- Evaluate the threat landscape
||Close gaps that hinder the ability to efficiently detect, respond to and resolve incidents
- Implement technology
- Integrate systems
- Modify processes
- Perform tabletop exercises to train personnel
||Identify security incidents
- Monitor and apply threat intelligence to endpoints, network traffic and log files to validate alerts
- Perform security analytics to uncover suspicious anomalies
||Confirm and investigate security incidents to understand what occurred and assess the impact
- Contain affected systems
- Collect and analyze data to classify the threat
- Dissect the attack path, reconstruct what it did
- Document the attack details
||Create and implement a remediation plan to remove all point of entry available to the threat
- Remove back doors
- Fix exploited vulnerabilities
- Reset compromised user credentials
- Restore services
- Document and apply lessons learned to bolster preventative defenses and improve ongoing rapid detection and response
A basic rule of thumb of the RDRM is to first focus on reducing noise from existing systems and then take steps to drive down incident response and resolution metrics to acceptable levels (i.e. time-to-detect, time-to-validate, time-to-contain, time-to-collect, time-to-analyze and time-to-resolve) by pursuing three technology goals:
- Gaining visibility into logs, networks and endpoints increases insight across the enterprise and provides context to help validate security alerts and understand incidents.
- Using a single platform with multiple capabilities that interoperate and can apply threat intelligence provides “big picture” context that can accelerate and improve threat-detection accuracy, enables automation to span multiple products and stretches budgets by reducing the number of niche point products.
- Automating validation, containment and remediation workflows reduces the number of manual steps required, provides the data and context necessary to prioritize and take action and frees experienced security personnel to focus on high-priority tasks.
As organizations struggle to overcome talent shortages, keep up with modern threats and reduce risk, rapid detection and response has become a necessity. We believe every organization is capable of using the RDRM to disrupt attack lifecycles and achieve a faster and more effective incident response that comes from greater visibility and context, consolidation and integration of security tools and automation of mundane steps
-Kristen Cooper, Vice President of Product Marketing