A new report from F-Secure finds that nearly 80 percent of incident response investigations begin after a company’s security perimeter has been breached. Not only that, but approximately 13 percent of investigations are conducted for “false alarms”, where companies invest time and money trying to stop an attack instead of solving IT problems.
The challenge of detecting security incidents is a known problem. F-Secure Chief Security Officer Erka Koivunen noted in a blog post that studies give wildly different estimates on how long it takes companies to detect breaches, and that several well-known breaches went undetected for over a year. And in many cases, companies learn about breaches from third-parties instead of their own detection capabilities.
But the million-dollar question is what companies can do to tackle the challenge? Incident detection needs specialized personnel, tools, and processes, which can place considerable strain on an organization’s cyber security resources. Given these potential costs, it’s no surprise that it’s a pain point companies are reluctant to address.
But the ever-evolving threat landscape combined with increased public and regulatory (like the GDPR) scrutiny of companies that neglect their readiness to respond to incidents means that incident detection isn’t something companies can afford to overlook.
Here’s a few of the challenges that companies face with incident detection, and some advice on what they can do:
Evidence of a breach is in the data, so collect wisely
Detecting security incidents is more than a guessing game. You need evidence showing that something is wrong. And you don’t want to wait until you read about it in headlines or get a ransom note from an attacker holding your data hostage.
Logs are a valuable source of evidence and used extensively in IR investigations. So you’ll want to take a systematic approach to aggregating and monitoring logs from across your organization. You’ll want to collect other evidence too, although exactly what will depend on your organization, infrastructure, threat model, and other factors.
You’ll also want to avoid collecting too much data, as the amount can quickly become overwhelming (more on this below).
Filtering data can be painful, but necessary
What do you do with all the data you collect? You need to filter it before it will tell you anything useful.
Assuming you’re collecting enough data to give you enough oversight of your network, you’ll wind up with millions of events to go through. For example, staff at F-Secure’s Rapid Detection Center – who manage F-Secure’s Rapid Detection Service – collected about 2 million events after one month of a 1300-sensor installation for a customer.
After discarding obviously benign events, about 900,000 events remained. After an exhaustive process of enrichment, correlation, and analytics were performed on this dataset, 25 suspicious events were identified. Then, a process involving manual analysis and customer collaboration found that 15 of those 25 events were genuine threats.
It’s important to note that F-Secure’s Rapid Detection Service is a dedicated incident detection and response solution, and configured by F-Secure to only collect events related to potential threats. Organizations that lack the in-house capabilities to do this can quickly find themselves drowning in data without the right tools or expertise (something in short supply all over the world) to sort through them.
But if done well, organizations should be left with a small, manageable number of events that call for more action.
Anomalies are just leads, so be ready to follow them down the rabbit hole
So what do you look for? Anything out of the ordinary should be a potential concern. Anomalies indicating an attack could include a non-admin user trying to access multiple servers, a large number of login attempts in a short time frame, activity happening at odd times, and more. You should also cross reference your logs against threat intelligence feeds to find any indicators of compromise (such as finding activity from known malicious IPs).
In a perfect world, a closer look at these potentially threatening events would be quickly, easily explained by someone working late, forgotten passwords, or a network error caused by a recent update.
But in the real world, some of those events will be actual security incidents. And while an organizations response to incidents can be seen as a separate issue, F-Secure Principal Security Consultant Tom Van de Wiele emphasizes that effective incident detection can strengthen an organizations ability to respond to incidents – something everyone from IT admins, board members, CISOs and CEOs will appreciate when a crisis hits.
“Every incident response process begins with the same question: is it an incident? How fast a company can make that determination, how smooth and efficient their processes and procedures are, the quality of their forensics and technology, and how well-trained their staff is, defines the cost of the answer to that question,” says Tom. “Once an organization has the facts based on detection capabilities, and not rumors or assumptions, then the process can continue with the next step which is usually containment and eradication.”