This blog was written by Bart Lenaerts-Bergman.
As cyber criminals move faster and stealthier, taking advantage of new tools provided through an adversarial community, security teams need to be able to respond with equal or greater speed. Every second counts after a cyber attack. Therefore, it is imperative to have a solid plan in place for actions that take place during the moments immediately following an incident or what we call the “Security Golden Hour.”
In a recent ESG survey “Tackling Attack Detection and Incident Response” commissioned by McAfee, responders indicated they spend their time on five key tasks. Top of the list included:
1. Determining the impact of the incident
2. Tacking action to minimize the attack
3. Analyzing security intelligence
4. Determining which assets remain vulnerable
5. Performing forensic analysis
When asked which initiatives would help boost staff efficiency, three SIEM key capabilities came to surface: first of all “better detection tools” to find potential malware accurately, followed by “better analysis tools” and “process automation to free up staff”. These last findings also form the foundation of the seven key actions McAfee’s Enterprise Security Manager (ESM) provides during the golden hour.
The first group of SIEM actions is related to the identification of the threat. Importance here is to reduce false positives and bring quickly and accurately potential adversarial activity in front of the security analyst. McAfee ESM advanced analytics (action #1) provides an overview who, when and where valuable infrastructure is used. During this analysis, ESM will calculate baselines, bring known and unknown threats to surface via rule and risk-based correlation, and leverage enterprise contextual information for better insights. A second action (#2) that ESM supports includes the collection and harvesting of threat intelligence. This step helps users to identify threats based on the misfortune of others and confirms the security analyst if the threat has already been seen somewhere else. A unique third action (#3) from McAfee ESM is both real time and historical correlation. Where most SIEM’s will only leverage threat intelligence going forward, McAfee ESM verifies if the organization has already been impacted by a known IOC (Indication of Compromise) via the BackTrace feature.
After the identification, users need to review, prioritize and decide on what to do next. During this second phase, visualization (#4) and isolation (#5) of threat activities are the next key actions SIEM should provide. Pre-built or custom dashboards, with fast and easy access to data, allow the user to run investigations quickly and reduce the time to prioritize the threat. Additionally, Asset Threat Risk dashboards aggregate known external threats, assets vulnerabilities and available countermeasures to help the security analyst pinpoint which enterprise assets are truly at risk.
In the last step, the incident responder acts by eradicating (#6) the adversary and communicating (#7) the required actions within the IT operations teams. These 2 actions can be taken directly from the console or can be fully automated to optimize security resources. Via built-in case management tool, the security operations manager can review open and closed Incident response tasks as well as spot recurring incident types for improved automation.
Review examples of known threats, SIEM best practices and the 7 key SIEM actions in a recent Secure World Webinar: https://goto.webcasts.com/starthere.jsp?ei=1056214
Read the ESG study: https://www.mcafee.com/us/resources/reports/rp-esg-tackling-attack-detection-incident-response.pdf