Strengthening resilience to attacks is the emphasis for security professionals nowadays. Though defenders are inventing technologies and tactics that are emerging in sophistication, enemies are not behind either.
Criminals are well funded and they use a mishmash of progressed technologies and strategies to dodge detection. Security professionals will always do their best to block attacks proactively but smart attackers will find their way to penetrate networks. Incident Response or IR must become a continuous process instead of a set of steps to try to stop malware from entering or simply reimage an affected machine.
A study on Incident Response capabilities showed that detection and IR are evolving with room for improvement. While 45% of respondents mentioned the lack of visibility into activities across a variety of systems and domains as an obstacle to effective IR, 37% said that their teams are not able to differentiate between malicious and non-malicious events.
Visibility is utmost important to detect attacks and to respond quickly. If a machine is collecting large amounts of data from diverse parts of the network, it is important to know,
What type of data is the machine accessing?
Which parts of the network it is going to in order to collect this data?
How often and at what time of day is this taking place?
Continuous visibility provides answers to these questions.
If a malicious executable is launched or if a machine makes an external connection to the suspicious IP address or if continuous alerts are coming from event logs, it is important to know these instantly. We can then begin to examine the origin of the spiteful activity and then take the necessary action.
When a machine is infected, generally a wipe and reimage method of remediation is undertaken. But only analyzing an infected machine and taking it offline is not enough when dealing with remorseless attacks. Identifying a sole machine that behaves questionably, just quarantining it, and reimaging will not eliminate the threat.
Security professionals must identify the primary source, the origin of the attack, its consequence on the machine, the other machines it communicated and whether the attack is still circulating on the network. These capabilities are deficient currently and the need for better security analytics and connection across affected systems is required. Innovative attackers can easily re-infect machines using the same techniques repeatedly.
Continuous Monitoring and Incident Response with Saner
Organizations require technologies that deliver full visibility into the network and an understanding of its core components. To detect attacks quickly, to make sure that the attack is understood and mitigated and to prevent similar attacks from taking place, a continuous approach to incident response is needed.
SecPod Saner endpoint security solution proactively detects threats and remediates them instantly. Saner not only provides real-time visibility into endpoint systems but also reduces the likelihood of an incident by preventing attacks from being successful. If an incident occurs, Saner detects IoCs and provides a vast number of response options to contain the potential damage. These responses include containing the incident or taking other remedial actions to ensure undisrupted operations. If attacks happen repeatedly using the same known vulnerability, Saner helps identify the vulnerabilities and actually fixes such vulnerabilities.
– Rini Thomas