Seasoned security professionals know that there is no silver bullet for cybersecurity. Attackers WILL get into your environment - it’s inevitable, it’s most likely already happened. Worse yet, the tools the attackers are using to infiltrate your environment are increasingly intelligent and autonomous, which means they can operate for a long time under the radar, hiding their activity in seemingly normal, ‘legitimate’ traffic. Gartner estimates the “average lag time before a breach is detected is 205 days.”
When an attacker is identified, you need to know all that they have done to ensure you understand and can remediate the full extent of the attack. Unfortunately, tracing activity that has been going on for days/weeks/months is almost impossible for today’s incident response (IR) teams. The alert marks the beginning of the activity – as soon as it’s received (in an ideal world), the IR team/security operations center (SOC) starts collecting data from all the relevant devices throughout the environment and building out the attack timeline.
Given the complexity of the environment and time-consuming nature of this process, there are often gaps in the timeline that require the analyst to make assumptions about what the attacker did. The longer the attack went on, the more gaps and assumptions have to be made. As a result, it’s not unusual for components of the attack to be completely missed, which may enable the attacker to maintain persistence in your environment and re-initiate their attack activities in the future.
Because the stakes are so high – a breach costs U.S. enterprises an average of $1.3 million per incident - the approach to cybersecurity needs to change. It needs to move from “incident response” to a “continuous response” doctrine. In other words, instead of waiting for an alert to trigger the start of activity, you need to have a continuous, iterative, never-ending cycle of monitoring, detecting, preventing, and even predicting activity.
Gartner has developed an Adaptive Security Architecture that adopts this continuous response approach. Four stages make up the architecture - prevention, detection, response, and prediction. To bring this architecture to life, organizations not only need to shift their thinking from a reactive, incident-based mindset to one that isproactive and continuous, but also make corresponding investments in solutions that can automate and orchestrate each component of the continuous, adaptive security architecture..
Capabilities in an Adaptive, Continuous Security ArchitectureTo build out the capabilities you need, you should look for solutions that can address each phase of the Adaptive Security Architecture.
- Prevent. According to Gartner, this phase will “block attackers and attack methods before they affect the enterprise.”
To accomplish, you need to be able to Respond to an attack and surgically remediate any threat or incident and orchestrate the response across multiple endpoints. This can include quarantining, killing a process, deleting a file, deleting and modifying registry keys, stopping a service/driver, removing a user, adjusting a firewall rule, etc. With the right tools, the attack should be stopped, with no impact whatsoever on productivity and business continuity.
- Detect. Gartner describes this phase as providing “continuous and pervasive monitoring” and using “advanced analytics” to identify advanced threats.
As we see it, the adaptive security continuum starts and ends with ongoing Observation. Only constant, automated and highly-granular endpoint vigilance, coupled with long-term central data storage, can ensure you have the visibility you need to quickly and efficiently understand what is going on in your environment. The key is that it’s constant and granular, so as soon as you get an alert, you have all the data – down to the file, process, threat, registry, user, hardware, network, etc. level - you are going to need to quickly and simply build out the entire attack story, even one that goes back days/weeks/even months. There should be no gaps, so there is no need to make any assumptions.
- Respond. This phase is defined by Gartner as being able to identify the root cause and scope of a breach to ensure the full extent of the attack can be remediated.
Once potential incidents have been surfaced, effective Analysis is crucial to understanding the full extent of an attack’s activities. Causalities need to be minutely examined to correlate data from endpoint monitoring with alerts from existing SIEM, network, and detection technologies. Each alert needs to be automatically investigated and triaged, producing the root-cause and full timeline of the event. Effective use of automation at this stage can reduce response times dramatically – by up to 99% - and eliminate false positives to enable analysts to focus on the threats that really matter.
- Predict. This last phase in Gartner’s architecture learns from events and predicts “potential vulnerabilities, feeding them back into the preventive and detective capabilities to ‘close the loop.’”
To complete the cycle, you need to learn from previous incidents and trends in the threat landscape and make adjustments to proactively Defend your environment from similar attack activity. The knowledge accrued in handling actual incidents needs to be automatically applied to create an adaptive security workflow. Essentially this phase builds out a self-optimizing architecture to improve the overall efficiency and effectiveness of your security efforts. For example, when rules can be automatically adapted to identify and block activity similar to time and resources no longer need to be applied to investigating new incidents that are similar to those that have already occurred in the environment.
The End-Game: Continuous, Adaptive ‘Self-Correcting’ Cybersecurity
An automated adaptive security cycle can ultimately be the basis for a self-correcting cybersecurity ecosystem that can constantly adjust and respond to enable faster responses, lower risks and increased security efficiency. Intelligent algorithms are the crux of this architecture, doing most of the heavy security lifting: they will derive causality between events, behaviors and attacks; they will collect and correlate data and decide when alerts are required; and they will help automate an appropriate response to eliminate the impact of existing and future attack activity. To bring this continuous, adaptive security architecture to life, you need capabilities that can deliver on each phase.