TMCnet News

Software Platform Integrates and Automates Incident Response Operations [Signal]
[April 24, 2014]

Software Platform Integrates and Automates Incident Response Operations [Signal]


(Signal Via Acquire Media NewsEdge) Technology Helps Find Real Threats in a Sea of Alerts To Avoid Being Next "Target" The tremendous growth of digital information is stressing the resources of security personnel in both government and industry as they assess and address vulnerabilities. In addition to having more data to analyze, analysts face a constantly growing threat landscape.



Keeping track of this tsunami of data is an ongoing challenge that will only become worse with time, explains Lucas Zaichkowsky, Enterprise Defense Architect with AccessData. Because of these trends, security operations personnel must be able to filter usable information out of a sea of raw data, which can be especially difficult. "Security analysts are inundated with similar-looking data and alerts, and they're drowning," he says.

Security analysts spend most of their time responding to alerts. To investigate each alert, analysts manually juggle a variety of point products. One of the major drawbacks to this piecemeal approach is that most of these tools do not interoperate with each other. "They've got this hodgepodge of disparate point products, and they don't talk to each other," he says. Analysts don't have the time to respond appropriately, because they receive hundreds of alerts each day, Zaichkowsky shares. This is a familiar scenario, particularly in the wake of the recent Target breach, where it was found that alerts triggered during the intrusion weren't investigated.


Because many of these tools cannot interoperate, analysts are left with a fragmented picture of what is happening within their enterprise. Analysts need to rely on their personal expertise to pick up on the right trends and threats from these different information sources, Zaichkowsky says.

"Analysts aren't going to effectively handle every alert by manually moving from point product to point product. It isn't going to scale, especially as incidents increase in frequency," he explains. Additionally, it is hard to know immediately if a detected threat is a minor nuisance or if it is a hacker attempting to steal sensitive data. When analysts lack context on the severity or the type of threat, they do not know which incidents they should spend valuable time investigating.

Putting all of the various data inputs and capabilities together to create a single picture is one goal of AccessData's InSight Platform. The platform merges threat detection, analysis and remediation capabilities into a single platform. Additionally, the platform integrates with existing security products to maximize their potential by closing the loop.

"InSight Platform is an integration of our leading Forensic Toolkit® (FTK®), network forensics, malware analysis, incident response, and e-discovery technologies. It provides holistic threat detection, visibility, and analysis of both endpoint and network activity, all within a single interface," says Zaichkowsky.

This integrated platform allows Security Operations, Network Security, Forensics, Information Technology, Legal, and other teams to work together on an event collaborating in real time. In addition, many of the steps taken by analysts can be automated to take action as alerts are triggered, Zaichkowsky explains.

Automation is important because the majority of detection and remediation efforts are done manually, Zaichkowsky says. For example, one client had a 30-minute window between an alert and the isolation of the affected computer, which is considered impressive, he said. From this point, the work involved manually obtaining and analyzing forensic data. Zaichkowsky explains that many companies and agencies take days or weeks to respond to and analyze a network intrusion, noting that 60 percent of most breaches result in data exfiltration within the first 24 hours.

Completing the loop by revoking attacker access, cleaning any suspect files from the network and handing it back to the users took this client up to 12 hours from the incident's initial detection. "That's a lot of analyst time spent doing routine tasks manually, and it also means the user has been away from the desk, unable to do anything for a full workday," Zaichkowsky says.

Other organizations may have different processes, but detection and remediation still require a lot of steps and manual work, Zaichkowsky explains. He notes the time needed to analyze, evaluate and respond to cyber threats needs to be much faster, especially when it comes to targeted breaches. "The way things are done today, it's taking analysts months to discover sophisticated hacker intrusions, and once they do, it's taking them just as long to investigate because attackers had all that time to move throughout the network," he says.

By comparison, when the InSight Platform detects an incident or receives an alert from other integrated products, it immediately takes action. This enables what AccessData calls "continuous, automated incident resolution." A common first step is to automatically isolate the affected endpoint, which InSight Platform does within seconds. This speed makes a major impact on a hacker's ability to do damage, Zaichkowsky says. With many of the daily incident response and analysis functions automated, an organization's security personnel can focus on the incidents that matter most and become more proactive, hunting down unknown threats yet to be identified.

One example of maximizing the value of existing security products is InSight Platform's ability to automatically confirm network alerts by verifying attacker activity at the endpoint. This provides context and useful information for an alert, and by going to the endpoint, it can directly confirm that an incident really did happen, Zaichkowsky explains. While many next-generation network security products provide analysts with the detection of threats delivered over the Internet, they are incapable of drilling down to the level of individual machines to determine if an attack was successful, Zaichkowsky says. InSight interfaces with these next-gen products by receiving specifics about the identified threat, verifying its existence at the endpoint, analyzing the incident to understand what happened, and carrying it through to remediation, he adds.

The platform's automated capabilities include malware triage and analysis, which provides behavior and intent information in seconds and also enables proactive signature-less malware hunting. As suspicious programs are detected, the InSight Platform analyzes it instantly to deliver actionable intelligence without the typical time-consuming task of running the code in a sandbox. "You could literally say, 'Pull me a list of .exe files from a system,' and it will analyze them in real time as it identifies them. The final piece is getting the system back up and running for the user," he says.

In one particular case, a customer used the platform to make compromised machines reboot and reimage themselves once automated analysis was complete. Doing this took the total response time down to two and a half hours and gave the organization all the data and context necessary to understand the incident, Zaichkowsky says.

While many organizations want to perform big data analytics such as hunting for anomalies and other nascent threats on their networks, they are often so bogged down in the noise of incoming alerts that they don't have the time, Zaichkowsky says. With the InSight Platform automating the bulk of their workload, analysts will have time to use it to view enterprisewide datasets, such as a list of running processes on every system on the network. "It will then automatically filter out known good binaries, rank by threat score and sort by frequency of occurrence to identify suspicious outliers," he says.

The software also can observe and record the use of removable media devices either onor off-network to guard against data leakage. It can record and preserve copies of files being saved onto and from thumb drives and disks, he says. This helps monitor for insider threats and malware designed to spread from these drives, he adds.

The ability to consume and make use of threat intelligence is also managed by the platform. Zaichkowsky notes that the platform integrates with and supports a variety of threat intelligence sources and formats, importing all threat intelligence and indicators of compromise documents into a common library.

As threat intelligence comes in, the InSight Platform weaponizes it by making it actionable at both the endpoint and the network. This is yet another way in which the InSight Platform enables continuous, automated incident resolution, Zaichkowsky says.

Because the InSight Platform is able to monitor network and endpoint activity, any events that match up against the threat intelligence data will trigger an automatic alert to information security staff, Zaichkowsky says. Furthermore, the platform can be set to automatically respond when these threats are detected.

While making sense of the high volume of alerts, automating incident response, and weaponizing threat intelligence are three critical needs this platform addresses, the all-inone nature of the InSight Platform has broader value to an organization. Because all of a company's or agency's cyber teams can access the same platform, it reduces redundancies. "Instead of maintaining three different databases and three different points of view of what's going on in an enterprisewhich is essentially what these three different use cases require-have it once, and then provide front-end interfaces that support the workflows needed for cybersecurity, forensics, and e-discovery," Zaichkowsky says. By eliminating point product fatigue, simplifying the infrastructure, and closing the gap between incident detection and remediation, the InSight Platform could prove to be a game changer, he adds.

AccessData Group makes the world's most advanced and intuitive incident resolution solutions, delivering real-time detection, analysis and remediation. AccessData technology addresses cyber threats, insider threats, mobile and BYOD risk, GRC issues and e-discovery. Over 130,000 users in corporations, law enforcement, government agencies and law firms worldwide rely on AccessData software.

http://www.accessdata.com/insight-platform/ (c) 2014 Armed Forces Communications and Electronics Association

[ Back To TMCnet.com's Homepage ]