Accelerating Detection and Response
Finding IT breaches via well-integrated solutions
- By Jason Mical
- Dec 01, 2013
Last spring, in late March, regional grocer
Schnucks Markets reported that the credit
card data of more than 2 million customers
was stolen by cybercriminals. The company
wasn’t made aware of the breach until
mid-month; it took nearly two weeks to find
the problem and another 36 hours to contain it. Even more
disconcerting? The attacks had begun in December, several
months before they were discovered.
Schucks isn’t the only company to have suffered at the hands of
cyber attackers. Hundreds of thousands of security incidents were
reported in 2012, with hundreds of confirmed data breaches. Businesses
know that when it comes to protecting the networks and
systems that run operations, nothing is more important than detecting
and stopping an attack before any damage is done. In fact,
worldwide spending on security infrastructure is expected to rise
to $86 billion by 2016, according to market research firm Gartner.
Despite the awareness of and apparent commitment to funding
protective measures, rapid cybersecurity detection and response
doesn’t often happen. Unfortunately, most organizations
find out about security breaches after the fact, and often aren’t
the ones belatedly discovering them.
Central to this problem is that the kinds of cybersecurity solutions
capable of quickly identifying, responding and stopping
breaches require a variety of IT security and management tools
along with disciplines that are automated, tightly-integrated and,
ideally, managed from central command. However, few companies
have the time or expertise required to implement and run
such a well-integrated, comprehensive, cybersecurity program.
Rising Attacks, Multiple Challenges
Despite the challenges, building and running an effective cybersecurity
program should be at the top of every organization’s agenda
as corporate data theft, hacking and malware attacks continue
In a recent study, the 2013 Data Breach Investigations Report
(DBIR), conducted by the Verizon RISK Team with cooperation
from 18 organizations that contributed data and analysis, including
the CERT Insider Threat Center at the Carnegie Mellon University
Software Engineering Institute, the U.S. Secret Service, the
European Cyber Crime Center (EC3) and numerous cybercrime
agencies around the world, analyzed more than 47,000 reported
security incidents and 621 confirmed data breaches from the past
year. The study found that 92 percent came from external agents
(sources outside of an organization and its network of partners).
DBIR began in 2004, indicating external attacks have been on
the rise, while those from internal sources have dropped considerably
in recent years. Of all the confirmed breaches in 2012:
- 52 percent were the result of hacking;
- 40 percent incorporated malware;
- 35 percent involved physical attacks;
- 29 percent leveraged social tactics; and
- 76 network intrusions exploited weak or stolen credentials.
Responding to these statistics should be an effective cybersecurity
program; however, challenges of such programs include:
Incident response times. Of the organizations analyzed in the
DBIR, 66 percent of them took months or more to discover the
breaches. This response time is too slow, and the problem is getting
Breach discovery. Sixty-nine percent of the incidents were discovered
by a third party, according to the report, and even more
shocking is that 9 percent of breaches were found by customers.
DBIR also found that more than half of the breaches identified
internally were spotted by end users rather than IT teams.
Lack of an incident response plan. This is likely one reason for
such dismal discovery and action. According to the Global State
of Information Security Survey 2013, a worldwide study by PwC
and CIO and CSO magazines, only 27.2 percent of the business
and technology executives surveyed said that their organizations
have an incident response process to report and handle breaches,
disseminating that to third parties who handle data.
“There has been a long-term decline in the use of some basic information
security detection technologies,” according to this study.
Stated in the 2013 Global State of Information Security Survey:
- 71 percent reported that their firms used malicious code detection
tools in 2012; that’s less than the 83 percent who reported
using those tools in 2011.
- Less than half (46 percent) reported using vulnerability scanning
tools, down from 59 percent the year prior.
- Only 39 percent used data loss prevention tools, down from 48
percent in 2001.
- Only 36 percent used security event correlation tools, down
from 47 percent in 2011.
Vulnerability scanning, data loss prevention and event correlation
tools are vital components of an effective cybersecurity
program, and the apparent drops in their use impacts how prepared
an organization is to respond to an attack or proactively
Complex cybersecurity initiatives. IT security professionals
continue to grapple with the ever-increasing complexities of their
cybersecurity initiatives, many of which are riddled with security
tools that lack visibility, integration, automation and collaboration.
Used by different teams within IT, these tools are: complex
to manage; lead to slow response times; cause security oversights;
and require varying skillsets, lengthy custom development and
multiple screens/command centers.
InformationWeek’s 2012 Strategic Security Survey found that
managing the complexity of security was the biggest IT security
challenge facing companies today. The survey blames the high
volume of threats and technologies being used, and policies that
need to be enforced.
A Well-Integrated, Fully-Stocked
Organizations need solutions that deliver automated, integrated
systems for identifying and defending against hacks, malware,
targeted attacks, advanced persistent threats (APTs) and other
malicious activity that initiate responses before any damage is
done, all from a single-user interface. These solutions need to
guide analysis and audits, and strengthen the institutional knowledge
and intelligence about cybersecurity.
In other words, organizations need well-integrated, fullystocked
central commands to run their enterprise-wide, cybersecurity
programs that ultimately mitigate risks.
To improve response times and remediation, organizations
need automated incident response that can be customized and
is holistic enough to include specific tasks such as packet capture
and investigation, examination of hard drives and memory/
RAM, and malware disassembly via two-way communication.
This should be supported by a single platform that reveals integrated
analysis to get to the bottom of an incident in minutes,
while facilitating real-time collaboration among the network security,
forensics, malware and information architecture teams. A
Security Information and Event Management (SIEM) platform
and a comprehensive Incident Response (IR) platform together
provide both endpoint threat detection and rapid response.
SIEM solutions are available from a variety of IT providers
and are designed to centralize the storage and analysis of events
generated by other software on the network, such as anti-virus
software. SIEMs can provide advanced reporting tools and indepth
event analysis through flexible and extensible integration
The best SIEMs should enable:
- The capture of any data from any device, system or application
using a simple “drag-and-drop” framework;
- the ability to synchronize user, role, and entitlement information
from corporate directories to find unauthorized user activity;
- shared account usage;
- role policy violations; and
- the capability of interfacing with IT management frameworks.
Advanced SIEM solutions, tightly integrated with a variety of
security tools that collect and manage their own events, is what
provides the central command. Without it, it’s difficult—in some
cases nearly impossible—and time-consuming to follow, detect,
analyze and correlate events culled by multiple systems.
Prepare for Cyber Combat
DBIR recommends that cybersecurity initiatives focus on better
and faster detection through a blend of people, processes and technology
without compromising prevention. The report also said
that organizations need to collect, analyze and share incident data,
tactical threat intelligence and indicators of compromise so they
can build more effective security programs. Organizations should
regularly measure the number of compromised systems at any
given time and the mean time it takes to detect incidents to better
understand their state of security and to refine security practices.
Events monitoring and analysis can be done across the enterprise
and on a variety of devices, servers, databases, and just
about any data type, including email. Events are discovered from
a central console, and responses and analysis can also be done
from the same central command without having to switch back
and forth between tools. Data spillage can be actively monitored,
and automated responses can be configured using templates or
easy-to-use customization. Ultimately, a well-integrated, fullystocked
solution will enable organizations to effectively manage
and analyze millions of events and block any trouble before it
impacts their IT operations, service, customers, brand and company
Businesses have to be prepared; and putting up defenses requires
due diligence and combining a best-of-class SIEM with
best-of-class security tools into a tightly-integrated, security solution
with a single user interface. This will go a long way in helping
organizations fight back.
This article originally appeared in the December 2013 issue of Security Today.