Ever hear or say, “…we need to do things differently”?
I hear it quite often, and it’s true—speaking in the context of fighting advanced threats. What usually ends up happening? The same old thing, but with new tools.
What needs to be done differently in our business is to lean forward into the problem and be more suspect of all content, especially in new ways. Capture as much data about this suspect content, automate its analysis and provide results along with the session and objects to first level responders.
Many environments have a SOC, which in turn work on alerts fed in from products. Often times they may not know why the alert came in or what it is about, and then forward upstream. It eventually ends up with the Incident Response team, who needs to gather data from other systems to try and piece together what happened. They have many tools they use to dissect, analyze and try to figure it out, but in the end 80%-90% of the results are benign. This is the business process and it takes time and money to vet.
My question to you is: what can be done differently?
- Inspect all traffic and its content - content should be judged based on risk (if not known), complete information collected up front (session, objects, artifacts, etc), and automated analysis. The benefit to the SOC is that it has all the information up front. If automated analysis shows its bad, then remediation can occur. This means faster resolution, money savings, and risk exposure minimized.
- Go on the hunt – use intelligent-community based information, etc.—and look for activity in real-time. Do not be a victim.
Build a better business process by compressing the workflow through automation, better information and response time. Put forensics up front as opposed to at the end—just like open heart surgery.