Page 40 - cdm-2014
P. 40
get through. According to Gartner, enterprise security expenditures are estimated to be $13
billion for gateway type security products. Yet phishing campaigns bypass most email spam
filters and reputation based email defenses.
Clearly the human element can be the weakest link in the security chain. Lack of awareness or
a single lapse in judgment and the attacker is in. To that point, Gartner also finds that only one
third of enterprises will spend resources on training which includes social engineering
awareness. If employees are properly educated to spot potential attacks and social engineering
techniques, they can become an organization’s first line of defense.
But education and detection and blocking technologies can’t keep every attack at bay. What’s
needed is a way to more quickly identify and remove threats once they get in. The following five
steps provide a methodical approach to reduce the amount of time an APT lives within an
organization and wreaks havoc.
1. Detect and Identify
2. To Contain or Not to Contain?
3. Remove and Recover
4. Be Proactive
5. Automate Incident Response
1. Detect and Identify
Error messages, suspicious events in logs, poor performance and unusual bandwidth usage
can all indicate a possible event. At the same time, a network system administrator performing
legitimate system maintenance might appear similar to someone launching some form of attack.
Or a misconfiguration might lead to a false positive in an intrusion detection system. Once the IT
security team has validated that, in fact, the organization is faced with a malicious situation and
not ‘noise,’ they need to establish a cross-functional team to oversee all aspects of the response
process. Members of the team will depend on the resources and needs of the organization but
will likely include representatives from management, the security department, IT department,
facilities/physical security, legal, finance, human resources and corporate communications.
During step one only required or affected members should be involved. Not every member will
engage in every step but should be kept informed so that they can take action as needed. Initial
tasks will include:
•Locate “patient zero” if possible, or any device known to be compromised. Without this
information the risk of reinfection is a near certainty.
! " $ !
! # ! "
