SlideShare a Scribd company logo

rp-esg-tackling-attack-detection-incident-response

M
Maciej Buczkowski

The document summarizes research from a survey of 700 IT and security professionals about tackling attack detection and incident response. Key findings include: 1) Organizations conducted an average of 78 security investigations in 2014, with 28% related to targeted attacks. Targeted attack investigations are more difficult and time-consuming. 2) Incident detection and response are hindered by time-consuming manual processes and a lack of integration between security tools. This delays response times and can enable data breaches. 3) Visibility across users, systems, applications and data is limited due to gaps in understanding behaviors and a lack of integration between security and IT operations tools.

1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Tackling Attack Detection and Incident Response Research and Analysis by Intel Security and ESG By Jon Oltsik, Senior Principal Analyst April 2015 This ESG paper was commissioned by Intel Security and is distributed under license from ESG. © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Research Analysis Report: Tackling Attack Detection and Incident Response 2 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Contents Executive Summary ......................................................................................................................................3 Always On .....................................................................................................................................................4 Cybersecurity Defense..................................................................................................................................7 The Bigger Truth .........................................................................................................................................11 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.
Research Analysis Report: Tackling Attack Detection and Incident Response 3 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Executive Summary The Enterprise Strategy Group (ESG) recently worked with Intel Security to analyze the results of a research project based upon a survey of 700 IT and security professionals at mid-market (i.e., 500 to 999 employees) and enterprise (i.e., more than 1,000 employees) organizations located in Asia, North America, EMEA and South America. Survey respondents came from numerous industries with the largest respondent populations coming from information technology (19%), manufacturing and materials (13%), and financial services (9%). Respondents were asked a series of questions about their organizations’ information security policies, processes, and technologies as well as their current security challenges and future strategies. Based upon this research, ESG concludes:  Security professionals remain busy and challenged by targeted attacks. On average, security respondents indicated that their organizations conducted 78 security investigations last year, and about 28% of these investigations focused on targeted attacks. Targeted attack investigations are especially cumbersome as they require experienced security analysts, a comprehensive view of IT assets, and security data analytics. These particular investigations can be extremely time consuming which may impede remediation actions and lead to data breaches in spite of the security team’s best efforts. The Intel Security data points to the need to change from simply collecting volumes of data to finding value in the data—this is the path to address attacks more efficiently.  While targeted attacks abound, incident detection and response are fraught with one-way streets, roadblocks, and detours. Cyber-attackers are using a combination of social engineering techniques, publicly-available social networking services, and stealthy malware to trick end-users, circumvent security controls, and compromise systems. While these offensive tactics are fairly straightforward, cybersecurity defenses remain haphazard at best. Security professionals often have limited knowledge about the latest hacking tactics, techniques, and procedures (TTPs). Incident detection and response are held back by a series of time consuming tasks, manual processes, and inefficiencies that elongate response time leading to damage control and cleanup. Security monitoring tools have limited visibility into users and technologies while security point tools lack the level of integration needed to coordinate and monitor security defenses across the network. Alarmingly, the Intel Security data portrays an unfair fight where cybersecurity offense often overwhelms cybersecurity defenses. Businesses need to change their security strategies to be able to deal with incidents within the most crucial timeframe after infection, before serious damage can be inflicted. Intel Security refers to this ideal incident detection/response window as the “golden hour.”  Security professionals are asking for help in multiple areas. The security professionals surveyed for this project have a multitude of suggestions to help them improve cybersecurity defenses and incident detection and response efficiencies. More than half point out the need for better security tools for incident detection and security analytics while around 40% recommend more training for cybersecurity professionals and the SOC team. And since 80% of organizations believe that their incident detection/response processes are hindered by a lack of security technology integration, many security professionals believe that their organizations would benefit from an end-to-end, tightly-integrated enterprise security architecture. In aggregate, cybersecurity advancements are needed across people, processes, and technology. CISOs should use the data presented in this report in two ways: 1. As a guideline for security assessment. This report highlights a number of issues hindering incident detection processes and effectiveness. CISOs should assess whether these problems exist within their organizations and, if so, attempt to identify and measure the ramifications. 2. As a blueprint for strategic planning. The data points to the need for vastly improved security data analytics and an integrated enterprise security technology architecture. CISOs should investigate their plans in these and other areas identified herein.
Research Analysis Report: Tackling Attack Detection and Incident Response 4 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Always On Most information security professionals would readily admit that there is a persistent cyber-war in progress where their organizations face a constant barrage of attacks. On average the IT and security professionals’ surveyed claim that their organizations conducted 78 individual security investigations in 2014. Not surprisingly, security investigation frequency was closely correlated to an organization’s size—the larger the organization, the more security investigations they conducted (see Table 1). Table 1. Average Number of Security Incidents in 2014 Total survey population (n= 700) 500 to 999 employees (n = 196) 1,000 to 4999 employees (n = 248) More than 5,000 employees (n = 256) Average number of security incidents in 2014 78 31 41 150 Source: Intel Security, 2015. At almost half of the companies surveyed, the majority of these security investigations focus on routine security incidents where end-user PCs become infected with adware, spyware, and volumetric viruses commonly downloaded from an assortment of sources. However, the other half spend the majority of their time investigating more sophisticated and often inter-related problems: targeted attacks (by an external adversary targeting a particular individual, group, or type of site or service), data breaches, and malicious insider attacks. In fact, 28% of security investigations are associated directly with more dangerous and potentially damaging targeted attacks (see Figure 1). This is an important distinction. With more than 1 in 4 security investigations linked to targeted attacks, many organizations:  Face targeted attacks on a regular basis. While pedestrian malware continues to be a major pain point, the Intel Security data indicates that no one is immune to the dangers of today’s targeted cyber-attacks. Small, medium, and large organizations consistently reported that 28% of their security investigations were focused on targeted attacks and organizations across all industries were impacted. Clearly, the advanced persistent threats (APTs) that were once the scourge of government agencies and the defense/intelligence industry are now widespread, presenting a real menace to all organizations.  Require new resources and skills to conduct targeted attack investigations. In general, security professionals can get help with common malware from their AV and IDS/IPS vendors. Alternatively, investigating targeted malware that flies “under-the-radar” may require some combination of security analytics tools, threat intelligence feeds, and advanced cybersecurity skills. Based upon this, it is safe to assume that targeted attack investigations are more difficult and time consuming than more common ones and many organizations simply are not prepared with the right resources, skills, or analytics.  Have more at stake with targeted attack investigations. Adware and spyware may disrupt employee productivity but targeted attacks can result in costly and damaging data breaches. This puts pressure on the security analyst team to isolate and remediate problems as soon as possible but best efforts alone won’t prevent data breaches.
Research Analysis Report: Tackling Attack Detection and Incident Response 5 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 1. Percentage of Security Investigations Associated with Targeted Attacks Source: Intel Security, 2015. All of these security investigations raise an obvious question: Why are cyber-adversaries able to penetrate networks and compromise systems with targeted attacks? Unfortunately, security professionals point to an assortment of root causes—38% cite a lack of user knowledge about cybersecurity risks, 32% claim that it is increasingly difficult to detect persistent/modern malware, 30% blame an increase in the use of social networking, and 29% identify sophisticated social engineering tactics (see Figure 2). 8% 24% 14% 16% 12% 9% 5% 5% 3% 1% 1% 1% 0% 5% 10% 15% 20% 25% 0% 1-10% 11-20% 21-30% 31-40% 41-50% 51-60% 61-70% 71-80% 81-90% 91-99% 100% What percentage of your 2014 security investigations were associated with targeted attacks? (Percent of respondents, N=700) Average = 28%
Research Analysis Report: Tackling Attack Detection and Incident Response 6 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 2. Reasons Cited for Targeted Attack Success Source: Intel Security, 2015. 12% 14% 16% 22% 23% 24% 24% 26% 29% 30% 32% 38% 0% 10% 20% 30% 40% 50% We did not suffer any successful targeted attacks Increased mobility and remote worker policies making it harder for security and IT operations staff to control and secure endpoint systems Insufficient security protection on endpoint devices (i.e., signature-based malware defenses only) Increasing use of non-PC devices such as smart phones and tablets increased the attack surface for malware at our organization Our security staff lacks the proper knowledge and skills to detect modern malware stealthing techniques (i.e., packing, polymorphic threats, sleeping techniques, metamorphic threats, etc.) Failure to recognize the root cause of an attack such that remediation steps did not adequately prevent malware from spreading and causing further damage Bring your own device ("BYOD") policies introduced many different types of PCs into our network making it harder for security and IT operations staff to control and secure endpoint systems Increasing use of personal business services (i.e., Dropbox, EverNote, PC Backup, etc.) by employees provided a malware distribution channel for cyber adversaries Sophisticated social engineering tactics by cyber adversaries that made activities appear trustworthy Increasing use of social networking sites (i.e., Facebook, Twitter, LinkedIn, etc.) by employees provided a malware distribution channel for cyber adversaries It has become increasingly difficult to detect persistent malware that may use an assortment of attack vectors, exploits, and payloads Lack of user knowledge about cybersecurity risks (i.e., clicking on unknown links, opening e-mails from unknown sources, etc.) If your organization suffered one or more successful advanced, targeted attacks in 2014, which of the following things do you believe made these attacks successful? (Percent of respondents, N=700, multiple responses accepted)
Research Analysis Report: Tackling Attack Detection and Incident Response 7 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. This list reflects a microcosm of today’s cybersecurity landscape. Smart, crafty, and creative cyber-adversaries use social engineering and stealthy malware to entice gullible end-users to click on a URL or open an e-mail attachment. In the meantime, nearly one-third (32%) of security professionals struggle to detect and respond to these attacks. The research points to a clear mismatch between offensive cybersecurity threats and traditional cybersecurity defenses. This imbalance is cause for alarm and must be addressed by all organizations as soon as possible. It’s important that security professionals understand that the volume of data alone isn’t making them smarter—what’s needed is more analysis and action on seemingly unrelated events that add up to significant incidents. Cybersecurity Defense The Intel Security research seems to indicate that it is relatively easy for cyber-adversaries to launch targeted attacks, evade security defenses, and compromise systems. Security professionals recognize this situation and remain diligent in their efforts to prevent, detect, and respond to targeted attacks but are often hamstrung by manual processes, isolated security controls, or limited security analytics. For example, incident detection and response processes depend upon a number of time consuming tasks, including determining the impact/scope of a security incident (47% say this is a time-consuming task), taking action to minimize the impact of an attack (42%), and analyzing security intelligence to detect security incidents (41%) (see Figure 3). When these time consuming processes are added together, it is often days, weeks, or months before cyber-attacks are identified and remediated. Figure 3. Time Consuming Tasks Associated with Incident Detection/Response Source: Intel Security, 2015. 26% 32% 35% 38% 39% 41% 42% 47% 0% 10% 20% 30% 40% 50% Gathering the right data for accurate situational awareness Conducting retrospective remediation to determine the scope of outbreaks, contain them and automatically remediate malware Altering security controls to prevent future similar types of malware attacks Performing forensic analysis to determine the root cause of the problem Determining which assets, if any, remain vulnerable to a similar type of attack Analyzing security intelligence to detect security incidents Taking action to minimize the impact of an attack (i.e., taking a system off-line, segmenting the network, etc.) Determining the impact and/or scope of a security incident (i.e., what was altered on a system, what this alteration did, were other systems affected, etc.) Which three processes are the most time consuming incident detection/response tasks? (Percent of respondents, N=700, three responses accepted)
Research Analysis Report: Tackling Attack Detection and Incident Response 8 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. When it comes to incident detection and response, time has an ominous correlation to potential damage—the longer it takes an organization to identify, investigate, and respond to a cyber-attack, the more likely it is that their actions won’t be enough to preclude a costly breach of sensitive data. To address this situation, many organizations are moving toward continuous monitoring of users, systems, applications, and sensitive data located on internal networks and external resources (i.e., SaaS, IaaS, PaaS, business partner systems, etc.). Effective continuous monitoring demands end-to-end collection, processing, and analysis of volumes of security data such as log files, network flows, endpoint/network forensic data, threat intelligence feeds, etc. Being able to identify and respond to an incident within the first hour (i.e., the Intel Security “golden hour”) can greatly minimize the impact of the breach. While many organizations strive for continuous monitoring across IT, many continue to have limited visibility into one or more IT areas. When asked about the biggest inhibitors to having real-time and comprehensive security visibility, 41% of organizations said that they need a better understanding of user behavior, 37% claim that they need tighter integration between security intelligence and IT operations tools, 37% need a better understanding of network behavior, and one-third (33%) need better tools to baseline normal behavior so they can detect anomalies (see Figure 4). Figure 4. What’s Needed for Real-time and Comprehensive Security Visibility Source: Intel Security, 2015. Addressing these visibility and comprehension deficiencies is critical. For example, a lack of knowledge about user behavior could give cyber-adversaries the opportunity to create rogue user accounts or suddenly download volumes of sensitive documents to a user’s PC. Similarly, when security analysts are unsure about network activities, they are more likely to miss suspicious connections, egress traffic, or DNS behavior. CISOs must address these visibility gaps in order to arm security analysts with the data they need to pivot across applications, networks, and systems as they pursue targeted attack investigations. 17% 21% 26% 27% 27% 30% 33% 37% 37% 41% 0% 10% 20% 30% 40% 50% Need better security analysis/forensic skills at our organization Need a better understanding of host behavior Need for better networking visibility (i.e., asset recognition, topology discovery, etc.) Need a better understanding of application behavior Need better automated analytics from our security intelligence tools Need a better understanding of server virtualization technology behavior Need better tools to baseline normal behavior so we can detect anomalies Need a better understanding of network behavior Need tighter integration between security intelligence and IT operations tools (NPM, APM, etc.) Need a better understanding of user behavior Of the following, which are the biggest inhibitors to having real-time and comprehensive security visibility at your organization? (Percent of respondents, N=700, multiple responses accepted)
Research Analysis Report: Tackling Attack Detection and Incident Response 9 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. End-to-end security visibility is vital but security data is meaningless by itself if security analysts can’t understand the information or its ramifications. In fact, effective incident detection and response is really anchored by the experience, instincts, and skills of the security analyst team as they observe content, monitor behavior, analyze data, and meander from data point to data point as part of their investigations. Given the need for a strong foundation of security knowledge, ESG found it somewhat troubling that only 45% of security professionals consider themselves very knowledgeable about malware obfuscation techniques while 8% are not very familiar or not at all familiar with malware obfuscation techniques (see Figure 5). With limited knowledge in this area, it is easy to see why over-burdened security analysts might disregard security alerts, minimize investigations efforts, or mistakenly classify a malicious file as benign. This is especially alarming as many organizations have visibility gaps AND skills deficiencies, limiting their ability to detect and respond to cyber- attacks. Figure 5. Security Professionals are Unfamiliar with Malware Obfuscation Techniques Source: Intel Security, 2015. Enterprise security activities around incident prevention, detection, and response are often based upon an army of disparate point tools used for threat management, policy enforcement, access control, and security monitoring. In many cases, these tools were added to the network organically over time in response to new types of cyber-risks. Each point tool is designed for a specific function and may be effective on its own but the infosec team is ultimately responsible for securing all IT assets regardless of their location or the types of threats they face. It is often difficult, if not impossible, to create/enforce security policies or monitor enterprise security status by piecing together reports generated from dozens of independent tools. The complex and cross-vector nature of targeted attacks makes the point tool model even less acceptable. Multiple events detected by different sensors must be aggregated to correlate events into an attack sequence, permit an investigative workflow, or communicate appropriate containment and remediation out to relevant controls. Is this lack of integration impeding efforts around incident detection and response? According to the research, the unfortunate answer is “yes”—26% of organizations say that the lack of integration and communications between security technologies/tools creates a big problem for incident detection and response while 53% state that the lack of integration and communications between security technologies/tools is still a marginal problem (see Figure 6). Very familiar, 45% Somewhat familiar, 48% Not very familiar, 7% Not at all familiar, 1% Many of today's sophisticated malware attacks use tools to obfuscate or hide specific aspects of their exploits, payloads, communications, and other tactics and processes. Are you familiar with these types of techniques? (Percent of respondents, N=700)
Research Analysis Report: Tackling Attack Detection and Incident Response 10 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 6. The Lack of Security Technology Integration Leads to Incident Detection/Response Problems Source: Intel Security, 2015. Security professionals were asked to give their own opinions about how their organizations could improve the efficiency and effectiveness of the information security staff itself. The research shows a real desire for more effective security analytics tools—58% of respondents want better detection tools while 53% say they need better analysis tools for turning security data into actionable intelligence. There is a yearning to improve the security organization’s skill set with more training on incident response and a general need to grow the infosec staff (see Figure 7). Taken together, this data demonstrates the need for improvement across people, process, and technology. Figure 7. What’s Needed to Improve the Efficiency and Effectiveness of the Information Security Staff Source: Intel Security, 2015. Yes, this is a big problem, 26% Yes, this is a marginal problem, 53% No, this is not a problem, 21% Does your organization have difficulty with incident detection and response due to lack of integration of and communications between its security technologies/tools? (Percent of respondents, N=700) 15% 24% 37% 41% 53% 58% 0% 10% 20% 30% 40% 50% 60% 70% Automation of processes to free up staff for more important duties Employ more IT security staff More training on how to manage incident response issues across multiple networks More training on how to deal with incident response issues Better analysis tools Better detection tools (i.e. static and dynamic analysis tools along with cloud-based threat intelligence to analyze files to gauge whether they are benign or malicious) In your opinion, which of the following items would do the most to improve the efficiency and effectiveness of your staff? (Percent of respondents, N=700, multiple responses accepted)
Research Analysis Report: Tackling Attack Detection and Incident Response 11 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. The Bigger Truth The Intel Security research exposes a few fundamental and pervasive cybersecurity weaknesses: 1. Organizations perform dozens of security investigations each year and around one-fourth of these investigations center on targeted attacks. These particular investigations tend to require advanced skills and security analytics tools as well as an integrated architecture. 2. Despite “silver bullet” products deployed in the last few years, targeted attacks are succeeding and demonstrate an imbalance between cyber-adversary offense and the corresponding defenses of large and small organizations. While cyber-adversaries conduct stealthy attack campaigns based upon social engineering tactics, enterprises find it difficult to prevent, detect, or respond to these attacks in a timely fashion. 3. Many organizations lack the type of comprehensive continuous monitoring they need to identify and respond to suspicious behavior during the critical timeframe after exploitation but still before serious damage occurs (i.e., the Intel Security “golden hour”). 4. The data also points to organizational and technology issues as well. Many organizations lack advanced cybersecurity skills while the security technologies they depend upon introduce overhead as they lack the right level of technical integration. As a result, incident detection and response processes are fraught with multiple time consuming tasks and operational overhead. 5. Security professionals believe that they need better security analytics technologies, integration, and additional training to improve the efficiency and effectiveness of their security teams. CISOs should study this research and assess whether their organizations face similar cybersecurity challenges across all aspects of their infosec domain and strategy. Additionally, ESG believes that there is a hidden story within the Intel Security research that hints at best practices and lessons learned. This data strongly suggests that CISOs:  Commit to continuous cybersecurity education. Like physicians, cybersecurity professionals must keep up with the latest research and development in their area of expertise. This includes advances in malware techniques, threat vectors, and new innovations in cyber defenses. Unfortunately, continuous education is often disregarded as the security team is often too busy keeping up with its workload or reacting to emergency alerts. This results in the situation described in this report where less than half of the security professionals surveyed were very familiar with malware obfuscation techniques. CISOs must seek to balance these diverse activities since cybersecurity professionals won’t be effective if they don’t know how to identify or remediate the latest types of cyber-threats. Some type of cyber-education should be required for the entire organization on an annual basis and supported by a continuous program led by the security team and HR. Cyber-education programs are most successful when executive management take a leadership role by stressing their importance and cheerleading the effort at all times.  Anchor their cybersecurity strategy with strong analytics moving from volume to value. While threat prevention controls like the SANS top 20 are critical, CISOs must assume that targeted attacks will circumvent security defenses, penetrate networks, and compromise systems. To address this inevitability, cybersecurity strategy must be based upon strong security analytics. This means collecting, processing, and analyzing massive amounts of internal (i.e., logs, flows, packets, endpoint forensics, static/dynamic malware analysis, etc.), organizational intelligence (i.e., user behavior, business behavior, etc.) and external data (i.e., threat intelligence, vulnerability notifications, etc.). Security analytics must be based upon intelligent algorithms wherever possible that can detect anomalous behavior, pinpoint affected systems, and help analysts determine a root cause and scope as quickly and accurately as possible. CISOs should remember that collecting and processing data is a means toward action—improving threat detection and response effectiveness and efficiency.  Create a tightly-integrated enterprise security technology architecture. Nearly 80% of organizations believe that the lack of integration between security tools creates a bottleneck and interferes with their ability to detect and respond to security threats. This should be perceived as a bright red flag. CISOs must alleviate this limitation by developing an enterprise security architecture that replaces security point tools with an integrated enterprise security architecture over the next three years. This security architecture
Research Analysis Report: Tackling Attack Detection and Incident Response 12 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. should encompass internal networks and cloud-based IT assets. The project plan should start with immediate pain points or fully-amortized security technologies and then introduce further integration points in phases over time. Each phase should include success metrics around security efficacy and operational efficiency. While it is beyond the scope of this paper to provide details about an integrated enterprise security architecture, the key characteristics include central command-and-control (i.e., policy management, configuration management, security analytics, etc.) and distributed enforcement up and down the technology stack.  Automate incident detection and response whenever possible. While cyber-threats grow exponentially, existing security tools and personnel can only increase their capacity arithmetically. In other words, most organizations have no chance of keeping up with ever-changing malware or cyber-attack techniques. To level the playing field, CISOs must commit to more automation. For incident detection, this requires advanced malware analytics, intelligent algorithms, machine learning, and the consumption of threat intelligence to compare internal behavior with incidents of compromise (IoCs) and tactics, techniques, and procedures (TTPs) used by cyber-adversaries. Furthermore, security and IT operations teams should instrument IT infrastructure and automate tasks and workflows for continuous remediation to quarantine compromised systems or block newly-discovered malicious URL and IP addresses as quickly as possible. The short-term goal here should be reducing the low-risk security workload to free experienced SOC personnel and allow them to focus on high-priority tasks.
20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0218 | www.esg-global.com

More Related Content

PDF
2013 Incident Response Survey
FireEye, Inc.
 
PPTX
Improve Information Security Practices in the Small Enterprise
George Goodall
 
PDF
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
PDF
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Marcello Marchesini
 
PPTX
Information Security Assessment Offering
eeaches
 
PDF
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
PPTX
Legal and ethical aspects
CAS
 
PDF
Assessing and Managing IT Security Risks
Chris Ross
 
2013 Incident Response Survey
FireEye, Inc.
 
Improve Information Security Practices in the Small Enterprise
George Goodall
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Marcello Marchesini
 
Information Security Assessment Offering
eeaches
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
Legal and ethical aspects
CAS
 
Assessing and Managing IT Security Risks
Chris Ross
 

What's hot (20)

PDF
Cisco Yıllık Güvenlik Raporu 2015
Marketing Türkiye
 
PDF
IT Risk Management
Tudor Damian
 
PDF
It risk assessment
Happiest Minds Technologies
 
PDF
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
PPTX
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
SurfWatch Labs
 
PDF
Information Security Strategic Management
Marcelo Martins
 
PDF
Ema report -_ibm_security_q_radar_incident_forensics_vs_other_industry_tools
Anjoum .
 
PPTX
Trends in Information Security
CompTIA
 
PDF
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
EnergySec
 
PDF
Prevent & Protect
Mike McMillan
 
PPTX
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
PDF
M-Trends® 2013: Attack the Security Gap
FireEye, Inc.
 
PDF
2015 Energy Industry Cybersecurity Research Update
GridCyberSec
 
PPTX
Cybersecurity Operations: Examining the State of the SOC
Fidelis Cybersecurity
 
PDF
What is Enterprise Security Architecture (ESA)?
John Gardner, CMC
 
PDF
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
PPTX
Hp It Performance Suite Customer Presentation
esbosman
 
PDF
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Hewlett Packard Enterprise Business Value Exchange
 
ODP
Infosec Workshop - PacINET 2007
Chris Hammond-Thrasher
 
PDF
OSB50: Operational Security: State of the Union
Ivanti
 
Cisco Yıllık Güvenlik Raporu 2015
Marketing Türkiye
 
IT Risk Management
Tudor Damian
 
It risk assessment
Happiest Minds Technologies
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
SurfWatch Labs
 
Information Security Strategic Management
Marcelo Martins
 
Ema report -_ibm_security_q_radar_incident_forensics_vs_other_industry_tools
Anjoum .
 
Trends in Information Security
CompTIA
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
EnergySec
 
Prevent & Protect
Mike McMillan
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
M-Trends® 2013: Attack the Security Gap
FireEye, Inc.
 
2015 Energy Industry Cybersecurity Research Update
GridCyberSec
 
Cybersecurity Operations: Examining the State of the SOC
Fidelis Cybersecurity
 
What is Enterprise Security Architecture (ESA)?
John Gardner, CMC
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
Hp It Performance Suite Customer Presentation
esbosman
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Hewlett Packard Enterprise Business Value Exchange
 
Infosec Workshop - PacINET 2007
Chris Hammond-Thrasher
 
OSB50: Operational Security: State of the Union
Ivanti
 
Ad

Viewers also liked (9)

PPTX
Profile Injection Attack Detection in Recommender System
ASHISH PANNU
 
PDF
A Wireless Methodology of Heart Attack Detection
ijsrd.com
 
PPTX
NIC 2017 - Attack and detection in Windows Environments
Oddvar Moe
 
PPTX
Heart Attack Monitoring System
Girish Bhangale
 
PDF
A REVIEW ON SYBIL ATTACK DETECTION TECHNIQUES
Journal For Research
 
PPTX
Walking stick with heart attack detection
swathi b
 
PPT
Wireless heartattack detector
Manoj Chidambaram
 
PPTX
Heart beat detector using arduino
Varshaa Khandagale
 
PPTX
Heart beat monitor system PPT
Anand Dwivedi
 
Profile Injection Attack Detection in Recommender System
ASHISH PANNU
 
A Wireless Methodology of Heart Attack Detection
ijsrd.com
 
NIC 2017 - Attack and detection in Windows Environments
Oddvar Moe
 
Heart Attack Monitoring System
Girish Bhangale
 
A REVIEW ON SYBIL ATTACK DETECTION TECHNIQUES
Journal For Research
 
Walking stick with heart attack detection
swathi b
 
Wireless heartattack detector
Manoj Chidambaram
 
Heart beat detector using arduino
Varshaa Khandagale
 
Heart beat monitor system PPT
Anand Dwivedi
 
Ad

Similar to rp-esg-tackling-attack-detection-incident-response (20)

PDF
Cybersecurity: Perceptions & Practices
Joseph DeFever
 
PDF
The state of incident response
Abhishek Sood
 
PDF
Evolving Threats Call For Integrated Endpoint Security Solutions With Holisti...
John D. Haden
 
PDF
Wp evolving-threats-endpoint-security
Ai K
 
PDF
The Custom Defense Against Targeted Attacks
Trend Micro
 
DOCX
Risk management planExecutive SummaryThe past.docx
SUBHI7
 
PDF
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
DOC
Take back your security infrastructure
Anton Chuvakin
 
PDF
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
The Economist Media Businesses
 
PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 
PDF
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
 
PDF
Risk Management
ijtsrd
 
PDF
when minutes counts
Martin Lindgren
 
PDF
CounterTack: 10 Experts on Active Threat Management
Mighty Guides, Inc.
 
PDF
The Security Challenge: What's Next?
Cognizant
 
PDF
A Critical Analysis Of Information Security -A Case Study Of Cognizant Techno...
Finni Rice
 
PDF
IT Executive Guide to Security Intelligence
thinkASG
 
PDF
State of Security Operations 2016
Tim Grieveson
 
PDF
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
PDF
2015 Scalar Security Study Executive Summary
patmisasi
 
Cybersecurity: Perceptions & Practices
Joseph DeFever
 
The state of incident response
Abhishek Sood
 
Evolving Threats Call For Integrated Endpoint Security Solutions With Holisti...
John D. Haden
 
Wp evolving-threats-endpoint-security
Ai K
 
The Custom Defense Against Targeted Attacks
Trend Micro
 
Risk management planExecutive SummaryThe past.docx
SUBHI7
 
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
Take back your security infrastructure
Anton Chuvakin
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
The Economist Media Businesses
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
 
Risk Management
ijtsrd
 
when minutes counts
Martin Lindgren
 
CounterTack: 10 Experts on Active Threat Management
Mighty Guides, Inc.
 
The Security Challenge: What's Next?
Cognizant
 
A Critical Analysis Of Information Security -A Case Study Of Cognizant Techno...
Finni Rice
 
IT Executive Guide to Security Intelligence
thinkASG
 
State of Security Operations 2016
Tim Grieveson
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
2015 Scalar Security Study Executive Summary
patmisasi
 

rp-esg-tackling-attack-detection-incident-response

  • 1. Tackling Attack Detection and Incident Response Research and Analysis by Intel Security and ESG By Jon Oltsik, Senior Principal Analyst April 2015 This ESG paper was commissioned by Intel Security and is distributed under license from ESG. © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.
  • 2. Research Analysis Report: Tackling Attack Detection and Incident Response 2 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Contents Executive Summary ......................................................................................................................................3 Always On .....................................................................................................................................................4 Cybersecurity Defense..................................................................................................................................7 The Bigger Truth .........................................................................................................................................11 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.
  • 3. Research Analysis Report: Tackling Attack Detection and Incident Response 3 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Executive Summary The Enterprise Strategy Group (ESG) recently worked with Intel Security to analyze the results of a research project based upon a survey of 700 IT and security professionals at mid-market (i.e., 500 to 999 employees) and enterprise (i.e., more than 1,000 employees) organizations located in Asia, North America, EMEA and South America. Survey respondents came from numerous industries with the largest respondent populations coming from information technology (19%), manufacturing and materials (13%), and financial services (9%). Respondents were asked a series of questions about their organizations’ information security policies, processes, and technologies as well as their current security challenges and future strategies. Based upon this research, ESG concludes:  Security professionals remain busy and challenged by targeted attacks. On average, security respondents indicated that their organizations conducted 78 security investigations last year, and about 28% of these investigations focused on targeted attacks. Targeted attack investigations are especially cumbersome as they require experienced security analysts, a comprehensive view of IT assets, and security data analytics. These particular investigations can be extremely time consuming which may impede remediation actions and lead to data breaches in spite of the security team’s best efforts. The Intel Security data points to the need to change from simply collecting volumes of data to finding value in the data—this is the path to address attacks more efficiently.  While targeted attacks abound, incident detection and response are fraught with one-way streets, roadblocks, and detours. Cyber-attackers are using a combination of social engineering techniques, publicly-available social networking services, and stealthy malware to trick end-users, circumvent security controls, and compromise systems. While these offensive tactics are fairly straightforward, cybersecurity defenses remain haphazard at best. Security professionals often have limited knowledge about the latest hacking tactics, techniques, and procedures (TTPs). Incident detection and response are held back by a series of time consuming tasks, manual processes, and inefficiencies that elongate response time leading to damage control and cleanup. Security monitoring tools have limited visibility into users and technologies while security point tools lack the level of integration needed to coordinate and monitor security defenses across the network. Alarmingly, the Intel Security data portrays an unfair fight where cybersecurity offense often overwhelms cybersecurity defenses. Businesses need to change their security strategies to be able to deal with incidents within the most crucial timeframe after infection, before serious damage can be inflicted. Intel Security refers to this ideal incident detection/response window as the “golden hour.”  Security professionals are asking for help in multiple areas. The security professionals surveyed for this project have a multitude of suggestions to help them improve cybersecurity defenses and incident detection and response efficiencies. More than half point out the need for better security tools for incident detection and security analytics while around 40% recommend more training for cybersecurity professionals and the SOC team. And since 80% of organizations believe that their incident detection/response processes are hindered by a lack of security technology integration, many security professionals believe that their organizations would benefit from an end-to-end, tightly-integrated enterprise security architecture. In aggregate, cybersecurity advancements are needed across people, processes, and technology. CISOs should use the data presented in this report in two ways: 1. As a guideline for security assessment. This report highlights a number of issues hindering incident detection processes and effectiveness. CISOs should assess whether these problems exist within their organizations and, if so, attempt to identify and measure the ramifications. 2. As a blueprint for strategic planning. The data points to the need for vastly improved security data analytics and an integrated enterprise security technology architecture. CISOs should investigate their plans in these and other areas identified herein.
  • 4. Research Analysis Report: Tackling Attack Detection and Incident Response 4 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Always On Most information security professionals would readily admit that there is a persistent cyber-war in progress where their organizations face a constant barrage of attacks. On average the IT and security professionals’ surveyed claim that their organizations conducted 78 individual security investigations in 2014. Not surprisingly, security investigation frequency was closely correlated to an organization’s size—the larger the organization, the more security investigations they conducted (see Table 1). Table 1. Average Number of Security Incidents in 2014 Total survey population (n= 700) 500 to 999 employees (n = 196) 1,000 to 4999 employees (n = 248) More than 5,000 employees (n = 256) Average number of security incidents in 2014 78 31 41 150 Source: Intel Security, 2015. At almost half of the companies surveyed, the majority of these security investigations focus on routine security incidents where end-user PCs become infected with adware, spyware, and volumetric viruses commonly downloaded from an assortment of sources. However, the other half spend the majority of their time investigating more sophisticated and often inter-related problems: targeted attacks (by an external adversary targeting a particular individual, group, or type of site or service), data breaches, and malicious insider attacks. In fact, 28% of security investigations are associated directly with more dangerous and potentially damaging targeted attacks (see Figure 1). This is an important distinction. With more than 1 in 4 security investigations linked to targeted attacks, many organizations:  Face targeted attacks on a regular basis. While pedestrian malware continues to be a major pain point, the Intel Security data indicates that no one is immune to the dangers of today’s targeted cyber-attacks. Small, medium, and large organizations consistently reported that 28% of their security investigations were focused on targeted attacks and organizations across all industries were impacted. Clearly, the advanced persistent threats (APTs) that were once the scourge of government agencies and the defense/intelligence industry are now widespread, presenting a real menace to all organizations.  Require new resources and skills to conduct targeted attack investigations. In general, security professionals can get help with common malware from their AV and IDS/IPS vendors. Alternatively, investigating targeted malware that flies “under-the-radar” may require some combination of security analytics tools, threat intelligence feeds, and advanced cybersecurity skills. Based upon this, it is safe to assume that targeted attack investigations are more difficult and time consuming than more common ones and many organizations simply are not prepared with the right resources, skills, or analytics.  Have more at stake with targeted attack investigations. Adware and spyware may disrupt employee productivity but targeted attacks can result in costly and damaging data breaches. This puts pressure on the security analyst team to isolate and remediate problems as soon as possible but best efforts alone won’t prevent data breaches.
  • 5. Research Analysis Report: Tackling Attack Detection and Incident Response 5 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 1. Percentage of Security Investigations Associated with Targeted Attacks Source: Intel Security, 2015. All of these security investigations raise an obvious question: Why are cyber-adversaries able to penetrate networks and compromise systems with targeted attacks? Unfortunately, security professionals point to an assortment of root causes—38% cite a lack of user knowledge about cybersecurity risks, 32% claim that it is increasingly difficult to detect persistent/modern malware, 30% blame an increase in the use of social networking, and 29% identify sophisticated social engineering tactics (see Figure 2). 8% 24% 14% 16% 12% 9% 5% 5% 3% 1% 1% 1% 0% 5% 10% 15% 20% 25% 0% 1-10% 11-20% 21-30% 31-40% 41-50% 51-60% 61-70% 71-80% 81-90% 91-99% 100% What percentage of your 2014 security investigations were associated with targeted attacks? (Percent of respondents, N=700) Average = 28%
  • 6. Research Analysis Report: Tackling Attack Detection and Incident Response 6 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 2. Reasons Cited for Targeted Attack Success Source: Intel Security, 2015. 12% 14% 16% 22% 23% 24% 24% 26% 29% 30% 32% 38% 0% 10% 20% 30% 40% 50% We did not suffer any successful targeted attacks Increased mobility and remote worker policies making it harder for security and IT operations staff to control and secure endpoint systems Insufficient security protection on endpoint devices (i.e., signature-based malware defenses only) Increasing use of non-PC devices such as smart phones and tablets increased the attack surface for malware at our organization Our security staff lacks the proper knowledge and skills to detect modern malware stealthing techniques (i.e., packing, polymorphic threats, sleeping techniques, metamorphic threats, etc.) Failure to recognize the root cause of an attack such that remediation steps did not adequately prevent malware from spreading and causing further damage Bring your own device ("BYOD") policies introduced many different types of PCs into our network making it harder for security and IT operations staff to control and secure endpoint systems Increasing use of personal business services (i.e., Dropbox, EverNote, PC Backup, etc.) by employees provided a malware distribution channel for cyber adversaries Sophisticated social engineering tactics by cyber adversaries that made activities appear trustworthy Increasing use of social networking sites (i.e., Facebook, Twitter, LinkedIn, etc.) by employees provided a malware distribution channel for cyber adversaries It has become increasingly difficult to detect persistent malware that may use an assortment of attack vectors, exploits, and payloads Lack of user knowledge about cybersecurity risks (i.e., clicking on unknown links, opening e-mails from unknown sources, etc.) If your organization suffered one or more successful advanced, targeted attacks in 2014, which of the following things do you believe made these attacks successful? (Percent of respondents, N=700, multiple responses accepted)
  • 7. Research Analysis Report: Tackling Attack Detection and Incident Response 7 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. This list reflects a microcosm of today’s cybersecurity landscape. Smart, crafty, and creative cyber-adversaries use social engineering and stealthy malware to entice gullible end-users to click on a URL or open an e-mail attachment. In the meantime, nearly one-third (32%) of security professionals struggle to detect and respond to these attacks. The research points to a clear mismatch between offensive cybersecurity threats and traditional cybersecurity defenses. This imbalance is cause for alarm and must be addressed by all organizations as soon as possible. It’s important that security professionals understand that the volume of data alone isn’t making them smarter—what’s needed is more analysis and action on seemingly unrelated events that add up to significant incidents. Cybersecurity Defense The Intel Security research seems to indicate that it is relatively easy for cyber-adversaries to launch targeted attacks, evade security defenses, and compromise systems. Security professionals recognize this situation and remain diligent in their efforts to prevent, detect, and respond to targeted attacks but are often hamstrung by manual processes, isolated security controls, or limited security analytics. For example, incident detection and response processes depend upon a number of time consuming tasks, including determining the impact/scope of a security incident (47% say this is a time-consuming task), taking action to minimize the impact of an attack (42%), and analyzing security intelligence to detect security incidents (41%) (see Figure 3). When these time consuming processes are added together, it is often days, weeks, or months before cyber-attacks are identified and remediated. Figure 3. Time Consuming Tasks Associated with Incident Detection/Response Source: Intel Security, 2015. 26% 32% 35% 38% 39% 41% 42% 47% 0% 10% 20% 30% 40% 50% Gathering the right data for accurate situational awareness Conducting retrospective remediation to determine the scope of outbreaks, contain them and automatically remediate malware Altering security controls to prevent future similar types of malware attacks Performing forensic analysis to determine the root cause of the problem Determining which assets, if any, remain vulnerable to a similar type of attack Analyzing security intelligence to detect security incidents Taking action to minimize the impact of an attack (i.e., taking a system off-line, segmenting the network, etc.) Determining the impact and/or scope of a security incident (i.e., what was altered on a system, what this alteration did, were other systems affected, etc.) Which three processes are the most time consuming incident detection/response tasks? (Percent of respondents, N=700, three responses accepted)
  • 8. Research Analysis Report: Tackling Attack Detection and Incident Response 8 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. When it comes to incident detection and response, time has an ominous correlation to potential damage—the longer it takes an organization to identify, investigate, and respond to a cyber-attack, the more likely it is that their actions won’t be enough to preclude a costly breach of sensitive data. To address this situation, many organizations are moving toward continuous monitoring of users, systems, applications, and sensitive data located on internal networks and external resources (i.e., SaaS, IaaS, PaaS, business partner systems, etc.). Effective continuous monitoring demands end-to-end collection, processing, and analysis of volumes of security data such as log files, network flows, endpoint/network forensic data, threat intelligence feeds, etc. Being able to identify and respond to an incident within the first hour (i.e., the Intel Security “golden hour”) can greatly minimize the impact of the breach. While many organizations strive for continuous monitoring across IT, many continue to have limited visibility into one or more IT areas. When asked about the biggest inhibitors to having real-time and comprehensive security visibility, 41% of organizations said that they need a better understanding of user behavior, 37% claim that they need tighter integration between security intelligence and IT operations tools, 37% need a better understanding of network behavior, and one-third (33%) need better tools to baseline normal behavior so they can detect anomalies (see Figure 4). Figure 4. What’s Needed for Real-time and Comprehensive Security Visibility Source: Intel Security, 2015. Addressing these visibility and comprehension deficiencies is critical. For example, a lack of knowledge about user behavior could give cyber-adversaries the opportunity to create rogue user accounts or suddenly download volumes of sensitive documents to a user’s PC. Similarly, when security analysts are unsure about network activities, they are more likely to miss suspicious connections, egress traffic, or DNS behavior. CISOs must address these visibility gaps in order to arm security analysts with the data they need to pivot across applications, networks, and systems as they pursue targeted attack investigations. 17% 21% 26% 27% 27% 30% 33% 37% 37% 41% 0% 10% 20% 30% 40% 50% Need better security analysis/forensic skills at our organization Need a better understanding of host behavior Need for better networking visibility (i.e., asset recognition, topology discovery, etc.) Need a better understanding of application behavior Need better automated analytics from our security intelligence tools Need a better understanding of server virtualization technology behavior Need better tools to baseline normal behavior so we can detect anomalies Need a better understanding of network behavior Need tighter integration between security intelligence and IT operations tools (NPM, APM, etc.) Need a better understanding of user behavior Of the following, which are the biggest inhibitors to having real-time and comprehensive security visibility at your organization? (Percent of respondents, N=700, multiple responses accepted)
  • 9. Research Analysis Report: Tackling Attack Detection and Incident Response 9 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. End-to-end security visibility is vital but security data is meaningless by itself if security analysts can’t understand the information or its ramifications. In fact, effective incident detection and response is really anchored by the experience, instincts, and skills of the security analyst team as they observe content, monitor behavior, analyze data, and meander from data point to data point as part of their investigations. Given the need for a strong foundation of security knowledge, ESG found it somewhat troubling that only 45% of security professionals consider themselves very knowledgeable about malware obfuscation techniques while 8% are not very familiar or not at all familiar with malware obfuscation techniques (see Figure 5). With limited knowledge in this area, it is easy to see why over-burdened security analysts might disregard security alerts, minimize investigations efforts, or mistakenly classify a malicious file as benign. This is especially alarming as many organizations have visibility gaps AND skills deficiencies, limiting their ability to detect and respond to cyber- attacks. Figure 5. Security Professionals are Unfamiliar with Malware Obfuscation Techniques Source: Intel Security, 2015. Enterprise security activities around incident prevention, detection, and response are often based upon an army of disparate point tools used for threat management, policy enforcement, access control, and security monitoring. In many cases, these tools were added to the network organically over time in response to new types of cyber-risks. Each point tool is designed for a specific function and may be effective on its own but the infosec team is ultimately responsible for securing all IT assets regardless of their location or the types of threats they face. It is often difficult, if not impossible, to create/enforce security policies or monitor enterprise security status by piecing together reports generated from dozens of independent tools. The complex and cross-vector nature of targeted attacks makes the point tool model even less acceptable. Multiple events detected by different sensors must be aggregated to correlate events into an attack sequence, permit an investigative workflow, or communicate appropriate containment and remediation out to relevant controls. Is this lack of integration impeding efforts around incident detection and response? According to the research, the unfortunate answer is “yes”—26% of organizations say that the lack of integration and communications between security technologies/tools creates a big problem for incident detection and response while 53% state that the lack of integration and communications between security technologies/tools is still a marginal problem (see Figure 6). Very familiar, 45% Somewhat familiar, 48% Not very familiar, 7% Not at all familiar, 1% Many of today's sophisticated malware attacks use tools to obfuscate or hide specific aspects of their exploits, payloads, communications, and other tactics and processes. Are you familiar with these types of techniques? (Percent of respondents, N=700)
  • 10. Research Analysis Report: Tackling Attack Detection and Incident Response 10 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 6. The Lack of Security Technology Integration Leads to Incident Detection/Response Problems Source: Intel Security, 2015. Security professionals were asked to give their own opinions about how their organizations could improve the efficiency and effectiveness of the information security staff itself. The research shows a real desire for more effective security analytics tools—58% of respondents want better detection tools while 53% say they need better analysis tools for turning security data into actionable intelligence. There is a yearning to improve the security organization’s skill set with more training on incident response and a general need to grow the infosec staff (see Figure 7). Taken together, this data demonstrates the need for improvement across people, process, and technology. Figure 7. What’s Needed to Improve the Efficiency and Effectiveness of the Information Security Staff Source: Intel Security, 2015. Yes, this is a big problem, 26% Yes, this is a marginal problem, 53% No, this is not a problem, 21% Does your organization have difficulty with incident detection and response due to lack of integration of and communications between its security technologies/tools? (Percent of respondents, N=700) 15% 24% 37% 41% 53% 58% 0% 10% 20% 30% 40% 50% 60% 70% Automation of processes to free up staff for more important duties Employ more IT security staff More training on how to manage incident response issues across multiple networks More training on how to deal with incident response issues Better analysis tools Better detection tools (i.e. static and dynamic analysis tools along with cloud-based threat intelligence to analyze files to gauge whether they are benign or malicious) In your opinion, which of the following items would do the most to improve the efficiency and effectiveness of your staff? (Percent of respondents, N=700, multiple responses accepted)
  • 11. Research Analysis Report: Tackling Attack Detection and Incident Response 11 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. The Bigger Truth The Intel Security research exposes a few fundamental and pervasive cybersecurity weaknesses: 1. Organizations perform dozens of security investigations each year and around one-fourth of these investigations center on targeted attacks. These particular investigations tend to require advanced skills and security analytics tools as well as an integrated architecture. 2. Despite “silver bullet” products deployed in the last few years, targeted attacks are succeeding and demonstrate an imbalance between cyber-adversary offense and the corresponding defenses of large and small organizations. While cyber-adversaries conduct stealthy attack campaigns based upon social engineering tactics, enterprises find it difficult to prevent, detect, or respond to these attacks in a timely fashion. 3. Many organizations lack the type of comprehensive continuous monitoring they need to identify and respond to suspicious behavior during the critical timeframe after exploitation but still before serious damage occurs (i.e., the Intel Security “golden hour”). 4. The data also points to organizational and technology issues as well. Many organizations lack advanced cybersecurity skills while the security technologies they depend upon introduce overhead as they lack the right level of technical integration. As a result, incident detection and response processes are fraught with multiple time consuming tasks and operational overhead. 5. Security professionals believe that they need better security analytics technologies, integration, and additional training to improve the efficiency and effectiveness of their security teams. CISOs should study this research and assess whether their organizations face similar cybersecurity challenges across all aspects of their infosec domain and strategy. Additionally, ESG believes that there is a hidden story within the Intel Security research that hints at best practices and lessons learned. This data strongly suggests that CISOs:  Commit to continuous cybersecurity education. Like physicians, cybersecurity professionals must keep up with the latest research and development in their area of expertise. This includes advances in malware techniques, threat vectors, and new innovations in cyber defenses. Unfortunately, continuous education is often disregarded as the security team is often too busy keeping up with its workload or reacting to emergency alerts. This results in the situation described in this report where less than half of the security professionals surveyed were very familiar with malware obfuscation techniques. CISOs must seek to balance these diverse activities since cybersecurity professionals won’t be effective if they don’t know how to identify or remediate the latest types of cyber-threats. Some type of cyber-education should be required for the entire organization on an annual basis and supported by a continuous program led by the security team and HR. Cyber-education programs are most successful when executive management take a leadership role by stressing their importance and cheerleading the effort at all times.  Anchor their cybersecurity strategy with strong analytics moving from volume to value. While threat prevention controls like the SANS top 20 are critical, CISOs must assume that targeted attacks will circumvent security defenses, penetrate networks, and compromise systems. To address this inevitability, cybersecurity strategy must be based upon strong security analytics. This means collecting, processing, and analyzing massive amounts of internal (i.e., logs, flows, packets, endpoint forensics, static/dynamic malware analysis, etc.), organizational intelligence (i.e., user behavior, business behavior, etc.) and external data (i.e., threat intelligence, vulnerability notifications, etc.). Security analytics must be based upon intelligent algorithms wherever possible that can detect anomalous behavior, pinpoint affected systems, and help analysts determine a root cause and scope as quickly and accurately as possible. CISOs should remember that collecting and processing data is a means toward action—improving threat detection and response effectiveness and efficiency.  Create a tightly-integrated enterprise security technology architecture. Nearly 80% of organizations believe that the lack of integration between security tools creates a bottleneck and interferes with their ability to detect and respond to security threats. This should be perceived as a bright red flag. CISOs must alleviate this limitation by developing an enterprise security architecture that replaces security point tools with an integrated enterprise security architecture over the next three years. This security architecture
  • 12. Research Analysis Report: Tackling Attack Detection and Incident Response 12 © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved. should encompass internal networks and cloud-based IT assets. The project plan should start with immediate pain points or fully-amortized security technologies and then introduce further integration points in phases over time. Each phase should include success metrics around security efficacy and operational efficiency. While it is beyond the scope of this paper to provide details about an integrated enterprise security architecture, the key characteristics include central command-and-control (i.e., policy management, configuration management, security analytics, etc.) and distributed enforcement up and down the technology stack.  Automate incident detection and response whenever possible. While cyber-threats grow exponentially, existing security tools and personnel can only increase their capacity arithmetically. In other words, most organizations have no chance of keeping up with ever-changing malware or cyber-attack techniques. To level the playing field, CISOs must commit to more automation. For incident detection, this requires advanced malware analytics, intelligent algorithms, machine learning, and the consumption of threat intelligence to compare internal behavior with incidents of compromise (IoCs) and tactics, techniques, and procedures (TTPs) used by cyber-adversaries. Furthermore, security and IT operations teams should instrument IT infrastructure and automate tasks and workflows for continuous remediation to quarantine compromised systems or block newly-discovered malicious URL and IP addresses as quickly as possible. The short-term goal here should be reducing the low-risk security workload to free experienced SOC personnel and allow them to focus on high-priority tasks.
  • 13. 20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0218 | www.esg-global.com