Thoughts on how to increase cooperation between security and IT teams during incident response for a smoother workflow
Working on incident response in an enterprise is challenging work. It really is.
Let’s face it, there are simply too many monitoring and detection systems that security analysts are forced to rely on. These analysts are constantly being alerted about potential cybersecurity threats, forcing them to go swimming in various data pools, hold both structured and non-structured data, internal KBs and CMDBs – all while working on multiple global sites that host a myriad of business processes.
Just creating all of those data pools, KBs, and CMDBs are tedious projects on their own— having to investigate alerts on top of it, can be downright dizzying.
Theoretically, an analyst should be able to receive an alert, collect data, analyze it, draw conclusions, respond, return everything back to normal operations, and generate a report on the incident in a timely manner. Then, after a brief coffee break, he or she would be available for the next alert that WILL inevitably arrive soon.
Of course, executing all of these activities for each alert and completing them by the time the next alert arrives (let’s leave out the coffee break) is inconceivable. So the queue just continues to build up and up and up...
And this cycle is endless.
One of the more interesting elements of the Incident Response process is the response itself. This element is typically a proactive one, with security analysts physically responding to something.
In the case of IR, it means that the security analyst does something to contain, mitigate, eradicate, clean, quarantine, wipe, delete and/or fix something that may have happened during an incident to make it possible to return normal operations and, preferably, sooner rather than later.
In a perfect, politics-free environment, the analyst would be able to conduct the response unimpeded, without needing to deal with technical impediments like lack of permissions, access rights, or other forms of access enforcement. However, in the real world of enterprise that is rarely the case.
The far more common scenario is that once an analyst concludes that there is a real incident, the proactive response element is assigned to the help-desk, systems team, or IT team who have the appropriate access rights and who (hopefully) can respond according to the guidelines provided by the security analyst.
While this method has its advantages, there are also many disadvantages:
- Yet another link in the chain; closing the loop simply takes longer.
- The help-desk/system/IT team may not be available, or may not prioritize the task as assigned by security.
- The help-desk/system/IT team does not share the skill-set of the security analyst, so if something in the response process goes awry, the process may not end successfully or it may force a new set of instructions.
- The security and help-desk/system/IT team do not speak the same language, nor do they share a common ticketing system.
- The security team needs to track more open tickets instead of closing the loop on their own.
- In some cases, further investigation of the live memory or hard drive is needed in order to properly validate an incident. These types of investigations cannot be delegated. Without direct access, security analysts cannot conduct the full investigation and are often left with open questions.
So what can be done? Here’s our idea!
What if security analysts were given direct access to every machine? And what if there were powerful tools to enable an immediate response that could be automated based on previously resolved attacks? And all of this while still having the ability to be monitored for audit purposes? Think of the time and effort it would save!
This is called Preemptive Incident Response.
Here, analysts are able to do the heavy-duty response work on their own without IT acting as the man in the middle. Furthermore, because this solution is able to monitor all endpoints, IT can fully audit the process to stay in the loop.
Check out SECDO:
Secdo combines unmatched, historical, thread level endpoint visibility with its unique Causality Analysis Engine™ to automatically investigate any alert.
Then, based on analysis of exactly how endpoints were compromised, Secdo provides a set of real-time, granular response tools that enable rapid and surgical response and remediation on any endpoint, with no impact on users.Find out more at: www.secdo.com