Triage – the prioritizing of patients’ treatments based on how
urgently they need care – saves lives when order of care decisions must be
made. Medical teams base their decisions on the symptoms they can see and the
conditions they can diagnose. I’m sure the process isn’t perfect, especially in
the midst of a crisis, but skilled medics can prioritize care based on their
knowledge and experience.
For IT incident response teams, cyber attacks and incidents also
happen quickly, but the symptoms could go unnoticed until it’s too late,
particularly in regards to targeted attacks for specific data such as medical
records or cardholder data. In a previous post, I've discussed the challenges security teams have regarding mean time to detection and response. Despite the team’s knowledge and experience when it
comes to dealing with incidents, without the right information – right away –
it’s nearly impossible for the team to make the “triage” decisions needed to mitigate
as much risk as they otherwise could.
On the other hand, suppose a number of employees have just
clicked on links tucked away in a cleverly crafted phishing e-mail, and their
end points infiltrated. As the attackers launch exploits aimed at applications
on their end points, security alerts are kicked out from the endpoint security
software. When there’s a mass attack, such as one that involves automated
malware, hundreds or even thousands of end points can be infected
simultaneously. It’s not hard for any organization to see when an incident like
this is underway.
In either scenario, what’s one of the most crucial aspects of
response? Beyond the ability to quickly identify that an attack is underway,
the other – just as in triage – is to be able to identify what systems pose the
greatest risk to security or contain sensitive data and require immediate response.
In many cases, systems affected by a malware attack, for instance, may just
need to be restored to a known safe state, while other systems – those with
critical access to important systems or containing sensitive information –
would need immediate attention so that risk can be properly mitigated.
Once an attack or incident is discovered, the clock begins to
tick as you scope, triage, and remedy the damage. Every delay and false
positive costs you time and money, and increases the risk of significant loss
or widespread damage. The problem is compounded by lack of visibility into the
troves of sensitive data potentially being stored in violation of policy.
One of the most effective things to do – whether looking at 500
systems that have been infected all at once or getting reports of dozens if not
hundreds of unrelated incidents – is to decide which system breaches place the
organization at greatest risk.
There are a number of ways you can try to accomplish this. For
instance, a notebook that is breached, which happens to be operated by a
research scientist, could very likely contain more sensitive information than
that of a salesperson. But what if a developer’s system gets breached? What if
someone in marketing gets breached? Who knows, offhand, what risk that could
entail. Perhaps the developer was running a test on an application with
thousands of real-world credit card numbers. Maybe the person in marketing was
carrying confidential information on a yet-to-be-released product.
In either case, it’d be helpful to know if sensitive data
resided on the systems. And with alerts and potential breaches coming in so quickly, one
would think it’s nearly impossible to make such decisions on the fly?
Fortunately, it’s not. We’ve written in the past about the importance of
automation when it comes to incident response, and how the marriage of security
information and event management and incident response can help improve
organizations respond to security events. Now, here’s another technology that
you might want to consider using with your incident response systems, and
that’s the ability to conduct content scans, such as those that look for
critical data, financial account data, personality identifiable information,
and other sensitive content either on a scheduled basis, or automatically in
response to an alert.
Consider for a moment the potential value such a capability
brings most organizations. First, it provides powerful insight that helps
prioritize which systems get evaluated first. If several systems are hit by a
targeted attack, you’ll instantly know which systems to focus your attention on
for containment and remediation. Second, you may know, from the types of systems that are being
targeted what data or information the attackers seek. This will give you
valuable time, potentially very early in the attack, to tighten your defenses
accordingly. Third, because you’ll have actionable information, you'll have a
fighting chance at clamping down on the attack before many records are
accessed, or at least mitigating the attack as quickly as modern technology and
your procedures allow.
Unlike triage in health care, lives may not be at stake –
but critical data and information certainly are. And anything that can be done,
such as coupling incident response with intelligent content scans and
immediately capturing time-sensitive end point data the moment an alert is
generated, will increase the overall effectiveness of your security and
incident response efforts, and help you understand immediately if sensitive
data is at risk.
No comments :
Post a Comment