Page 38 - index
P. 38
The Seven Deadly Sins of Incident Response
By Brandon Tansey, Security Research Engineer, Lancope
The seemingly endless barrage of attacks on government and enterprise networks has made it
clear that organizations need to be much more proactive when it comes to security.
Deploying perimeter defenses like firewalls and antivirus, and expecting them to keep attackers
off of your network, has become just plain foolish in light of today’s increasingly complex threat
landscape.
Today it is not a matter of if, but when you will be attacked. Security success is no longer just
about keeping threats out of your network, but instead about how quickly you can respond and
thwart an attack when it happens.
Despite this scenario, many organizations still haven’t gotten it quite right when it comes to
incident response. Here are “7 Deadly Sins” that Lancope often sees companies committing
when attempting to build an incident response function.
1. Not understanding your environment due to a lack of visibility. As the saying goes,
you can’t protect what you can’t see. Setting up an incident response plan without
adequate network visibility is a fairly useless exercise. How can you determine whether
a specific communication is suspicious or not when you aren’t aware that it happened?
And when a breach happens, how will you be able to pinpoint where and how it occurred
if you don’t know what traffic is moving throughout your environment?
For many companies, incident response consists of identifying the machine that first
drew attention and taking it offline. But that’s simply not enough. If you have the right
level of network visibility, you can determine whether or not ‘patient zero’ also infected
others before it was disconnected.
Especially when targeted attacks are a concern, the type of visibility needed to discover
lateral movement is practically required to stop the spread of an infection before it leads
to a data breach.
Obtaining high levels of network visibility, both internal and external, is a challenge –
especially in large organizations subject to mergers and acquisitions. Disruptive
technology trends like cloud computing and mobility are also skewing visibility. However,
leveraging technologies such as NetFlow, web proxies and firewalls can provide the
visibility needed if leveraged in the right way.
In order to be effective, the data from these technologies needs to be not only logged,
but also collected, analyzed and stored long term to provide audit trails and allow for the
development of actionable intelligence.
You will need the right tools and responders to sift through all of the data and find the
needle in the haystack, but it’s well worth the investment. Take advantage of the
38 Cyber Warnings E-Magazine – July 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
