Staggering Level of 2011 Breaches Shows Incident Response Speed Is of the Essence

Anthony Di BelloTo reduce costs and mitigate the damage done by breaches, security teams need quick access to the right information.

It seems the torrent of data breach news never lets up. In 2010, according to the Open Security Foundation’s Data Loss Database, there were 555 breaches affecting nearly 27 million records. And while the number of incidents fell to 369 this year (so far, the year isn’t over as this is written), a staggering 126.7 million records have been affected.

The number of breached records isn’t the only statistic that is up. The most recent Ponemon Institute U.S. Cost of a Data Breach Study report, published in March of this year, found that the cost of breaches per record also is climbing. The report, which looked at 2010 data, found the cost per record to be $214, up $10 when compared to the previous year.

Why is the number of records compromised rising, along with the cost of breaches? There are no easy answers. Of course, more institutions are using electronic records today than ever before – and they’re also operating under stricter regulatory compliance mandates that require notification. Those are probably two very important reasons.

Another is the greater complexity of today’s networks. There are more servers, databases, and applications managing our data across more and more networks.

This makes it very challenging to quickly identify potential breaches as they’re just getting underway.

As networks grow more complex, with more interactions with more network infrastructure and applications, the number of potential security events to monitor also rises. In order to better manage the associated risks – and quickly clamp down on breaches as they’re occurring – IT security teams need to deploy more security defenses and to monitor everything from network access to network and web traffic to application usage.

This heightened level of security monitoring means, of course, that security teams will receive tens of thousands – for large organizations perhaps hundreds of thousands – of security alerts from their Security Information and Event Management (SIEM) system every day. This makes it incredibly difficult to prioritize and respond to those events that matter. In fact, obtaining information about endpoints (where many breaches originate) that can be acted upon in a reasonable period of time is next to impossible.

This lack of visibility into real-time endpoint security activity significantly intensifies enterprise risk by both increasing the probability that successful attacks go unnoticed, and that security teams are hampered from doing their jobs effectively.

What IT security teams need is quick access to endpoint data to reduce risks. Because endpoint data tends to decay, or change very often, by the time security teams get to see the alerts that come from their SIEM, it’s often many hours or days too late to respond.

What’s needed for SIEMs to be more effective is the ability to integrate endpoint incident response into SIEM alerting. For example, our EnCase® Cybersecurity automates the incident response process by enabling the augmentation of rules into one of the most well established SIEMs, HP ArcSight. This integration makes it possible for EnCase® to capture the necessary data right on the endpoint as soon as possible. For example, if a user who is authorized to access the network attempts to access unauthorized applications or resources, EnCase® Cybersecurity can be configured to capture relevant system information at the very time that undesirable event occurs. This ensures an accurate view of exactly what activity was underway at the time the user attempted to access the unauthorized resources.

Additionally, as alerts from security defenses are generated and captured by the SIEM, EnCase® Cybersecurity can be configured to immediately take memory and system information snapshots of all hosts involved in the event. This ensures a real-time glimpse into the state of the computer at the time of the alert, revealing known, unknown, and hidden processes, as well as running DLLs and network socket information.

And with that kind of information in the hands of the IT security team, it then can prioritize and address the biggest risks before substantial damage occurs. If more organizations had these capabilities in place, the number of breaches, affected records, and the total cost of the breaches will likely go down.

Watch Trends in SIEM and Incident Response webinar featuring 451 Research and HP Enterprise Security to learn more about how the convergence of SIEM and incident response technologies can benefit you.

No comments :

Post a Comment