Cyber threat forensic analysis isn’t complicated.
Assuming you have the right solution in place.
Organizations are under intense pressure to do all they can to secure their organizations. Yet, until now, their approach to cyber security has been faulty. This is not necessarily their fault – the industry has been lacking proper solutions, which leads to inadequate practices – and the situation has been made worse by some vendors’ attempts to market the use of the wrong tools to get the job done.
The standard approach has been to install best-of-breed security infrastructure such as next-generation firewalls, SIEMs, (e.g., Splunk), Intrusion Detection Systems (e.g., BRO and Snort), UEBA, and other solutions – all with the goal of complete threat detection. However, what was quickly discovered is that this approach caused problems that organizations weren’t prepared for:
1. All these separate tools are an operational nightmare to run and keep updated.
2. They aren’t fast enough, especially when it comes to meeting new compliance requirements.
3. They focus on metadata – not the actual data conversations needed to provide accurate and complete incident response.
Tools like SIEMS are complex and require constant rule updates. In our opinion, anything that is too complicated for security teams to use will never achieve widespread success in solving challenging and evolving threats. Unless, we’re talking about an organization with a limitless budget!
Compliance rules from some U.S. states and the EU now require just a few short days to notify authorities if PII data has been exposed or compromised, and if so, what data. Most breaches take weeks to months to get to the bottom of with today’s tools.
In addition, incident response teams realize that it is impossible to run effective forensics solely against metadata from these tools. After all, this is essentially what is being provided via alert logs from all these devices.
So what’s the answer? We believe the answer is in the data and that you need a better way to capture (and record) complete data conversations involving critical assets that process critical data. This way, a breach involving critical data can be completely investigated – scoped down to what files were accessed, when, and by whom. This information can provide complete evidence for compliance and prosecution as well as the visibility to know what specific data has been exposed.
Sounds hard. It was. But in the words of John F. Kennedy, “We don’t do these things because they are easy – but because they are hard” (and necessary). If done right they are very effective, very quick, and easy for security teams to use.
If you have responsibility for Investigative Response, and need a better solution that costs less than you’re spending now, you should start your research here.