Real Time Threat Response: Why It Is Critical
Real time is now! Not thirty minutes, not one hour.
This kind of instantaneous information availability is a critical asset in security information monitoring and responsiveness. While a web analytics or a BI (Business Intelligence) application can live with historical trends and reporting, security responsiveness needs to be trigger sharp. You don’t expect your security guards to wait for a twice-a-day break-in report before taking action do you? Unfortunately this is what many security applications do. From a security perspective, historical reporting and trend analysis is post mortem work that is beneficial for audit and compliance reporting and for forensic explorations of ‘what went wrong’.
Internet access for most businesses is critical. In many instances, it is a core requirement and a strategic enabler in driving down costs and improving efficiencies. Like with electricity or the telephone system, downtime is unacceptable, or increasingly becoming so. But unlike the utilities, potential points of security breaches on a computer network are numerous.
This requires something more than just a reporting framework. Security events if not attended to at the ASAP can potentially cripple your network or worse, bring it to a grinding halt. The response window to threats is constantly shrinking. Delays are no longer acceptable. Responses should be trigger sharp.
Real-time monitoring strategies use technology (Firelytics!) to continuously sift through mountains of network activity data, correlating, flagging and rating the potential seriousness of all attacks, compromises and vulnerabilities. This allows managers to shorten drastically, the gap between incident and response. Security Threat Responsiveness: Not Just Big Iron ConfigurationThere is a difference between passive optimization of an enterprise network to prevent attacks and implementing processes to respond to breaches in a quick and decisive manner. The former is what usually gets implemented by security professionals. This is usually part of the firewall installation contract. Depending on your needs, a standard set of rules are applied to the firewall at your internet gateway. These are usually best practices evolved over time and are of course essential.
This defined rules-centric approach, while being a good start, is simply that, a start. It needs to be backed up by a robust, defined, set of threat response processes to ensure your network stays protected. The right security infrastructure unsupported by corresponding threat response processes, dilutes your security investment at best. At worst, it makes your response posture into a joke that malicious attackers will gleefully ride on all the way to the bank.
An excerpt from a netForensics white paper: “Most organizations address security in a fragmented fashion. Point solutions, such as firewalls, public key infrastructures (PKIs) and intrusion detection systems (IDSs) are often put in place in a tactical manner, with little thought to how these pieces can be tied together into a total security solution. As a result, network activity data generated by each of these point solutions is produced in un-integrated information silos that must be manipulated manually in order to create a comprehensive portrait of what happened."
Real Time Attacks Need Real Time ResponsivenessThe short answer to the question, “Why do I need to protect my network proactively and in real-time?”, is this: “Because the bad guys are attacking you in real-time”. Threats to your network will come thick and fast, and will not first wait for you to patch up your users’ Windows installations, or download the latest antivirus definition file.
It’s simple: “The ability to Know Immediately enables you to Act Immediately”.
The Financial Burden of Not Acting in Real TimeThe cost of undoing any damage rises exponentially with time. The CIO for a leading pharmaceutical company remarked that “It is easy to be a forensics expert with all the answers thirty days after an attack. But by then, the organization has lost valuable time and money.” IT managers know only too well the cost of learning about a virus attack on their networks two or three days after the initial breach. The company may very well lose a cumulative whole day’s productivity. And for nasty viruses and malicious attacks that cripple servers and databases, a single day’s loss is a best-case scenario.
The late-response problem is typically aggravated by the accompanying ‘headless-chicken’ syndrome. The first panicked reaction is to shut down everything! Eventually (hopefully) someone will calm down and remember to read through the firewall, IDS and antivirus logs. The raw meta data in the logs themselves are typically useless. It will need to get repurposed to extract any useful information which could take a few hours. Time is a luxury which typical network administrators simply do not have. Worse, the threat may have breached the network several days earlier, further extending the gap between incident and response. This could also, depending on the severity of the problem, require hiring a security expert (read expensive) to help you bring the network back to operational status.
Firelytics, is designed to address this specific problem, of instantaneous, reliable, real time security information which you can use to take action. When you support the security information coming in with a strong security response posture you will have reached almost CERT levels of responsiveness. You can pat yourself on the back after that. How do you develop a robust threat response posture? Well that’s for another post :). Subscribe to our newsletter to learn about that when we do post it. When you sign-up you’ll also learn about the 7 Realities of Firewall Analytics. Stay alert. Be vigilant. Protect your network! |