Across the board, security teams of every industry, organisation size, and maturity level share at least one goal of the need to manage risk. Managing risk is not the same as solving the problem of cybersecurity once and for all, because there is simply no way to solve the problem once and for all. Attackers are constantly adapting, developing new and advanced attacks, and discovering new vulnerabilities.
An incident response team is accountable for having a plan to handle an incident and implementing it. They’re prepared to mitigate damage, identify the root cause of an incident, and communicate with the proper channels.
But they are also responsible for another crucial part of incident response: the post-incident review, which is a detailed retrospective that allows an enterprise to carefully understand each part of an incident, from start to finish. It is one step in the incident response process that requires a cross-functional effort from all individuals and technologies connected to the incident to truly understand the root cause and full scope of the attack. It answers critical questions like what happened before, during, and after the attack.
A good post-incident review results in a list of practical actions that address each of the issues that allowed the threat actor to succeed. These actions should minimise the impact of an attack and teach the security team, the security tools, and the wider enterprise how to prevent, detect, and respond to a similar attack in the future.
However, this leaves post-incident review with a major problem.
It takes organisations an average of 191 days to identify a data breach. For a post-incident review that does its due diligence, this means potentially going all the way back in time through at least 191 days’ worth of data to find the root cause of the attack. Consider all of the data in your environment that has come and gone over the course of 191 days. How many investigations have your analysts performed in that time?
Post-incident review is a big data problem that requires a big data solution. Incident response teams need to be able to easily query months’ worth of data, but until now the industry just hadn’t reached the point where that was an option. Network forensics is limited to two to three weeks of raw data, while log management solutions are difficult to access and correlate across large data sets.
As an industry, we need to be incorporating the principles of big data into our security solutions. Legacy solutions do not address dwell time or the need to see every phase of the attack properly correlated, which means security analysts miss out on important data. The bottom line: if you’re a security company, you need to be using data science principles in your development. If you are in a SOC, you need to be thinking not only about incident response, but also about how your tools handle massive amounts of incoming data and make it easily consumable.
By Allie Mellen, Security Strategist, Cybereason.