FINAL WORD
ENSURE YOU HAVE BASELINE DATA FOR YOUR ENVIRONMENT. YOU MAY CALL IT PEACE TIME LEARNING AND ANY CHANGES TO THE BASELINE COULD POSSIBLY ACT AS AN EARLY WARNING FOR A POSSIBLE BREACH. SOME SIEM SOLUTIONS HELP YOU CREATE THIS BASELINE DATA
MAJID KHAN MSS Architect at Help AG
Implement incident
3 response plans So, now that you have adequate preventive security controls & you are monitoring your environment, it’ s time to move further. As mentioned at the start of this write-up, no matter how many security measures are in place, it may never be enough to stop an extremely motivated hacker. Hence, it’ s important that we have incident response plans which can be invoked during a breach, thereby limiting the time of exposure due to the breach.
To emphasise on my point, I would like to cite data from the Trustwave Global Security Report 2016 which compared the number of days taken from intrusion to its containment. Although it showed a downward trend, it found that in general, it took more than 60 days to contain an incident, which means, organizations are exposed for this period.
Some incident response plans may merely be created on a word document and expected to be followed during
breaches. It is a good start, however, I recommend using security incident response tools which can be used by an SOC analyst guiding them through the entire process of incident handling. This will ensure all aspects of security incident handling are covered.
To further enhance incident response capability, organizations should look at orchestration of actions required to contain or mitigate the impact of security breaches.
Implement predictive
4 controls Once the organisation has successfully implemented & maintained all the previous stages, the next step is to start predicting breaches before they actually occur. As you would guess, it’ s never easy to predict something which has not happened yet, however, assuming that all previous stages have been well implemented, you can utilise them for this stage.
Predicting attacks will require multiple aspects:
Baseline- Ensure you have baseline data for your environment. You may call it peace time learning and any changes to the baseline could possibly act as an early warning for a possible breach. Some SIEM solutions help you create this baseline data.
Threat hunting- Partially related to the previous point, you, or your MSSP, could have threat hunting as one of the capabilities where analyst hunt for threats in your environment. In some case, this could be post breach while in others, you could pick it up during the early stages.
Intelligence from Dark Web- In order to explain this point, I will draw an analogy to the intelligence that countries use to predict any planned terrorist activities that might occur against them. They have informers, and so too, companies can subscribe to services from companies who have presence and / or harvest the dark web. This information could include planned attacks / campaigns on specific industry, region or company. This information can be utilised to know if you / your sector is being targeting and will thus enable you to be ready for it in advance.
As I mentioned earlier. Each of these stages requires regular review to ensure they are fit for purpose and that the most relevant level of controls exist. www. intelligentcio. com INTELLIGENTCIO
87