Security analysts today are spending the majority of their time dealing with the mundane, repetitive and administrative based tasks associated with incident response, as opposed to using their valued time proactively investigating and hunting threats in order to remain one step ahead of the increasing number of cyber threats they are facing. On a daily basis, security teams are being bombarded with a plethora of security alerts, most commonly from their security information and event management (SIEM) solution, combined with log and event data from a number of other platforms and sources with their infrastructure.
A SIEM tool pulls event and logs data from a wide range of internal sources, sometimes up to 15 different third-party tools or more, to provide a complete all-around picture of an organization’s current security posture ongoing threats. The SIEM mainly acts as a security monitoring system by correlating relevant data from multiple sources and generating alerts when the events appear to be worthy of further investigation. At a basic level, SIEM implementations can be rule-based or can employ a statistical correlation engine to establish relationships between event log entries, while advanced SIEMs can be used for user and entity behavior analytics (UEBA) and some orchestration and automation processes.
Is there such a thing as too much information?
The main advantage of implementing a formal and automated SIEM process is to increase the overall visibility of the IT network and security infrastructure. However, this process and enhanced visibility often leads to large volumes of alerts being generated which then manually need investigating by security analysts. Quite often a number also turn out to be false positives after further investigation, wasting a considerable amount of time. In other cases, far too many alerts are being generated for the workforce to even begin to consider investigating them all. As a consequence, only the higher levels of alerts are prioritized, increasing the risk to the organization by disregarding some of the lower-level alerts.
A more effective and efficient solution
Rather than leaving the organization vulnerable to the risks of ignored alerts, a better solution is to complement the SIEM with security orchestration, automation, and response (SOAR) technology. Gartner created the term SOAR to describe an approach to security operations and incident response that aims to improve security operations’ efficiency, efficacy, and consistency. SOAR allows organizations to collect security data and alert information from a number of different sources, including a SIEM, and to then perform incident analysis and triage using a combination of human and machine power. This helps to formalize the response handling procedure, determining and deploying effective and repetitive incident response processes and workflows.
Acting as a force multiplier, SOAR allows security teams to do more with less resources. It provides capabilities to automate, orchestrate and measure the full incident response lifecycle, including detection, security incident qualification, triage and escalation, enrichment, containment, and remediation. The overall goal of an organization utilizing a SOAR solution is to reduce the mean time to detection (MTTD) as well as the mean time to respond (MTTR) to an incident. This, in turn, minimizes the risk resulting from the growing number of cyber threats and security incidents, while also enabling the organization to achieve legal and regulatory compliance, while ultimately increasing the return on investment for existing security infrastructure technologies.
Action alerts immediately automatically
A SIEM solution ingests and processes large volumes of security events from various sources, then collates and analyzes the information to identify the issues, which subsequently triggers the creation of the initial security alert. This functionality is often limited to unidirectional communication with the data collection sources and in most cases, SIEM implementations do not carry out actions beyond the initial alert generation. This is where the power of SOAR can add significant value, taking the SIEM generated alert and orchestrating and automating responses, utilizing multiple security and IT tools from different vendors to remediate the threat.
Once a SIEM alert is generated, an incident is triggered within the connecting SOAR solution. Combined with machine automation and some level of human interaction where needed, a number of enrichment and response actions are carried out following a specific set of playbooks and runbooks for each individual incident type. A set of activities based on previously defined incident workflows and results, combined with machine learning are used to automate and guide the entire response process from start to finish.
Get more from the people you have
Integrating SIEM and SOAR combines the power of each to create a more robust, efficient and responsive security program, ensuring no alerts go untouched. It accelerates incident detection and response actions from minutes to seconds, ultimately enabling security teams to maximize analyst efficiency, minimize incident resolution time and avoid alert fatigue that negatively impacts so many of today’s security teams. It also enables organizations to automate most of the low-level work often performed by security analysts, allowing them to do what they do best, which is challenging and rewarding, while SOAR technology does the rest.
Preparation for GDPR has been underway for the last two years. Although last month’s deadline has passed and GDPR is now in effect, there are still many companies in the EU and the rest of the world for that matter, that are still not 100% compliant. A recent survey by Spiceworks revealed that only 25 percent of US companies were thought to be compliant when GDPR went into force. Many of these companies are waiting in anticipation to see the first results and the impact the new legislation will bring once a new major breach has been uncovered. As we wait for that first announcement in the news, the chances are that many new breaches have most likely already occurred post-May 25th but are still yet to be detected and disclosed. Dixons Carphone may be the first, announcing a huge data breach last week involving 5.9 million payment cards and 1.2 million personal data records, but the breach was reported to have taken place last year, pre-GDPR, so the consequences are somewhat unclear.
GDPR is unique in that it is the first major regulation to focus on the end scenario, the impact and aftermath of a breach, especially to the individual, as opposed to focusing solely on the prevention and controls put in place by organizations to prevent a breach in the first place. What seems to have caused the most confusion is that there doesn’t seem to be that “one size fits all” approach for companies to meet GDPR compliance and there have been many different interpretations. Companies must be able to prove they have carried out the necessary risk assessments and put the appropriate policies, processes, and procedures in place given all the risks involved.
Historically it has been more common to associate security controls in conjunction with breach prevention, but today cybersecurity strategies have been turned on their head and security operations teams must assume that a breach has or will occur. It is no longer the “if” scenario and focus is now fully on the “when” scenario. This change in mindset puts incident response, in particular data breach notification and reporting processes, at the forefront of reducing the risk of a data breach as opposed to being an afterthought. Organizations under GDPR now have to notify EU authorities within 72-hours and have to prove that their security programs and responses were appropriate to the situation.
If you are not quite fully GDPR compliant yet, there is no time to wait. Here are 5 steps you should take without due delay.
1. Establish Roles and Responsibilities
Data Protection Officer (DPO) is the latest new job title being created within many organizations. Main responsibilities of the DPO include providing advice on security controls, processes and procedures within the organization, as well as acting as the main point of contract for the supervisory authority. The DPO is not the only role that may be required though, as a proper incident response plan will require many additional roles including an incident response coordinator, legal and compliance resources and human resources to name a few. Stakeholders within the organization will need to be aware of how to effectively put the plans into action. If you are yet to define roles and responsibilities, this is a key first step when tackling GDPR.
Under GDPR it is important to understand what data exists, where it is located, who has access to it and for what purpose it is being used. Only the minimum amount of data to perform the task should be collected and processed and it should not be retained for longer than necessary. If data within the company is unknown then it can’t be protected, putting the company at risk. Knowing where data exists is crucial during incident response and breach notification to ensure you do a comprehensive audit of your business and the data it holds.
To respond to a security incident, a thoroughly planned and documented approach is required to maximize its effectiveness. Without structure and documented processes and procedures in place, an incident response attempt could turn into complete mayhem. The process should comprise of the appropriate tools and tasks, as well as personnel required to respond to the incident, ensuring it covers all scenarios whether large or small. It is also important to document both the high-level plan, as well as the more detailed workflows for handling specific types of security incidents (e.g. runbooks and playbooks). Having this documentation and associated processes and procedures in place will help your organization to demonstrate that a formalized, repeatable process using an appropriate response was followed during a potential breach.
4. Test the Plan Regularly
Having a documented plan is one thing, but ensuring it works and is fully tested is another. GDPR not only requires that security controls are in place but also states that they should be tested and evaluated on a regular basis. This will most likely vary from organization to organization, but we would recommend it should take place at least once a year and include exercises such as breach simulations. As well as meeting this requirement under GDPR it also helps to ensure that all stakeholders within the incident response process are up to date and familiar with their respective role and responsibilities.
5. Ensure Reporting Practices and Proficiencies
The GDPR breach reporting and notification element is probably one of the most challenging aspects to comply with, as 72 hours is a relatively short window to detect, remediate, report on and notify all parties of an incident. Organizations need to be able to gather and analyze large amounts of data from multiple sources, as well as make sense of the data before notifying stakeholders internally and externally. Implementing automated procedures for collecting data and preparing detailed reports based on incident and forensic data is essential, as well as having documented processes in place for issuing notifications to potentially hundreds of thousands of individuals.
As we already know, data breach detection and incident response are never going to be a straightforward process for any organization but GDPR has now leveled the playing field to ensure that all companies are meeting the same baseline requirements or face the possibility of hefty fine and public scrutiny. It is now a critical time for organizations to ensure they have detailed and documented incident response plans and procedures in place to deal with any incident should it occur, as well as the tools they need to help them to more easily comply with the requirements.
If your security operations team is looking for assistance with its incident response program and tools to help the organization to demonstrate GDPR compliance as well as breach notification requirements, these useful resources may help. Read our DFLabs IncMan for GDPR solution brief and whitepaper about Increasing the Effectiveness of Incident Management to learn more.
As malware attacks continue, attackers are going to great lengths to obfuscate both the intent and capabilities of their malicious payloads to evade detection and analysis. In addition, the rate at which new malware is being developed has reached staggering new levels. Zero-day malware is increasingly common in all environments and signature analysis is becoming less effective.
As a result, malware has become increasingly difficult to detect using more traditional detection mechanisms. Once detection occurs, it is often difficult to successfully analyze the malicious file to determine the potential impact and extract indicators. To successfully respond to a potential malware incident and minimize the impact, early detection and analysis are critical.
In this blog, we will briefly discuss how a security operations team can detect, analyze and respond to advanced, evasive malware by utilizing McAfee Advanced Threat Defense (ATD) with DFLabs IncMan SOAR platform, and present a simple use case example.
Utilizing McAfee ATD with DFLabs IncMan SOAR Platform
Early detection, analysis, and extraction of indicators are critical in successfully responding to and remediating a security incident involving malware. McAfee ATD enables organizations to detect advanced, evasive malware and convert threat information into immediate action and protection. Unlike traditional sandboxes, it includes additional inspection capabilities that broaden detection and expose evasive threats. Tight integration between security solutions enables instant sharing of threat information across the environment, enhancing protection and investigation.
DFLabs IncMan and McAfee ATD together solve two specific challenges including; 1) How can I reliably detect malicious files? and 2) How can I determine capabilities and extract indicators from malicious files? Utilizing DFLabs IncMan’s integration with McAfee ATD and with the use of IncMan’s R3 Rapid Response Runbooks, organizations can automate and orchestrate the detection and analysis of suspected advanced and evasive malware, allowing faster and more effective response to malware incidents. In addition, ATD also provides users with critical insights into the capabilities of suspicious files, as well as indicators which may be further enriched through additional automated actions.
Use Case in Action
A potentially malicious file has been detected on a workstation, causing the security operations team to initiate the incident response process. The malicious file has been extracted from the workstation and included in the IncMan Incident as an Artifact. Next, the R3 Runbook predetermined for malware alerts and incidents will be used to scan the file, perform additional enrichment, then block the infected host, if necessary.
To begin, McAfee ATD is used to detonate the potentially malicious file. Once detonation has completed McAfee ATD will return information about the executable, including the determined severity level. Next, a condition is set to determine if the severity returned by McAfee ATD is greater than 0, indicating that the file is likely malicious.
If it is determined by McAfee ATD that the file is likely malicious, an additional enrichment action is utilized to gather additional information from McAfee ePolicy Orchestrator (ePO) regarding the host that the malicious file was detected on. Following this, McAfee ePO is also used to tag the host with the appropriate tags indicating that it may be infected with malware.
Following the additional enrichment actions, a user choice decision point is reached. This user choice decision will prompt the analyst to make a manual decision regarding whether or not the workstation which generated the malware alert should be temporarily blocked from communicating outside the network. All of the enrichment information from the previous actions, including the information from McAfee ATD and ePO will be available to the analyst to assist in the decision-making process.
If the analyst chooses to block this workstation at the perimeter, a containment action will utilize McAfee Web Gateway to block the IP of the workstation until further investigation and remediation can be conducted.
By harnessing the power of McAfee ATD, along with the additional orchestration, automation and response features of DFLabs’ IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective response and reduced risk across the entire organization. With malware continuing to be one of the top cyber attacks, it is critical that security operations have a streamlined process in place in order to be able to detect and respond to such security alerts.
If you would like to see a more in-depth demo of this use case in action, or other use cases within IncMan, please get in touch.
Cyber threat intelligence (CTI) is an advanced process that helps an organization to collect valuable insights into situational and contextual risks that can be chained with the organization’s specific threat landscape, markets, and industrial processes. Having said this, deploying a Threat Intelligence Platform alone is rarely sufficient enough to address the complexities experienced in today’s Security Operations Center (SOC) environment.
These sources of threat intelligence can be of significant value when assessing organizational vulnerabilities and provide the necessary insight into more than just infection vectors. Threat intelligence provides organizations with the knowledge to effectively correlate data from a number of disparate sources to anticipate attacks before they occur. This directly addresses the three issues most commonly facing responders today; the prioritization of incoming incidents, reducing response time and aggregating data from a number of sources to provide the clearest picture of an incident.
Designing the most appropriate method of integrating threat intelligence into your information security infrastructure has never been easier. Orchestration and automation platforms such as IncMan SOAR from DFLabs has successfully been used to rapidly integrate threat intelligence into the incident response infrastructure, including Structured Threat Information eXpression (STIX), Trusted Automated eXchange of Indicator Information (TAXII) and other threat intelligence sources. These repositories are based upon community standards that enable the transportation of cyber threat intelligence between intelligence sources and IT security teams. Further, they strive to facilitate the re-alignment of efforts in proactive IT security that are based on real-time information that exchanges threat information between commercial suppliers, the government, non-profit efforts and industrial partners.
These sources of threat intelligence, once integrated into an incident orchestration platform can now be leveraged to evaluate risks, assess potential damages and proactively correlate threat vectors. By doing so they can automate the prioritization of incoming incidents based on expert forecasts which will help assess the threat tactics, techniques and procedures (TTPs), and provide the formation of a comprehensive incident response strategy by not only identifying the possible attack vector but possible actors as well.
Today’s cybercrime environment involves tactics and techniques that can wreak havoc within our networks in a very brief period of time. These threats have a far reach irrespective of industry or infrastructure classification. Given this speed, it is imperative that we implement a comprehensive threat intelligence program that leverages a centralized orchestration and response platform and permits organizations to aggressively address the constantly changing threat landscapes as a combined effort.