How to thwart hackers with a cyber playbook

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123457985/how-thwart-hackers-cyber-playbook

It’s hard to read the news these days without learning about yet another
security breach.

Whether it’s U.S. retailer Target, Orange France, travel insurer Staysure,
or supermarket chain Morrisons, news of cyber attacks is front and centre
on a weekly basis.

It is no longer a surprise when a business or government agency reveals
that a breach has compromised data related to their customers, employees,
partners — or all of the above.

We know that attacks routinely target critical networks and that they are
as likely to target multiple organisations in a single or related industry
as they are to focus on a single target.

What is surprising is the length of time it takes organisations to detect
and resolve security events.

We know that attacks can unfold in the blink of an eye but can take months
— even years — to be properly identified and eradicated from an
organisation’s systems.

According to a newly released CSG Invotas cyber security survey, more than
one-third of cyber-attacks take hours to detect.

Equally alarming, resolving breaches takes days, weeks and, in some cases,
even months.

No matter how accustomed we may be to hearing about the increasing number
of attacks, this state of affairs should catch the attention of the C-suite
in organisations around the globe.

Consider the figures: according to the U.K. government, 93% of large
corporations and 87% of small businesses reported a cyber breach in the
past year.

In fact, affected companies in the U.K. experienced almost 50% more attacks
on average than they did a year ago: dramatic increases which reflect the
dynamics of a digital economy.

Technology is constantly changing and evolving, which means cyber attacks
are constantly changing and evolving too.

Attacks that come in looking like one piece of software code quickly mutate
and adapt to the target environment, multiplying the number and types of
attacks and proliferating at machine speed to expose weaknesses.

The result? New vulnerabilities and attack vectors are continually
discovered — and security teams are continually playing catch-up.

Advanced cyber attacks pose a serious risk to commercial and government
concerns. To counter these threats, many organisations have established
security operations centres (SOCs) that leverage advanced tools embedded in
their standard operating procedures.

Typical SOC analysts will be trained to utilise multiple tools but will
still spend a large portion of their time on the manual components of each
tool.

Simple tasks such as updating helpdesk tickets, performing manual content
enrichment (e.g., testing hyperlink safety and uploading malware
protections) and gathering information from infected machines require a
significant amount of analyst time.

When the time to complete all of these tasks is compared against the actual
analysis of the incident, organisations frequently find that their highly
trained analysts spend more time on repeatable processes than on using
their extensive analytical skills.

What’s more, traditional cyber defence tools don’t provide adequate
protection from attack.

If CIOs consider the time analysts spend performing the same manual tasks
over and over, the inadequacy of legacy technology, the shortage of
security workers in the industry, and the personnel-intensive integration
of all of these tools to thwart cyber attacks, they are likely to agree
that a more streamlined approach to cyber security is required.

Enter the cyber playbook. Given that specific incident or threat types
determine the workflow, tools and processes analysts choose to respond
with, a cyber playbook can become the repository for all such “plays” that
can be orchestrated on the fly and combined for specific threat-response
scenarios.

The playbook can — and should — contain all probable combinations of
workflows, tools and processes to ensure that responses can change and
adapt in real time to mirror and ultimately thwart attacks.

Similar to a rugby playbook of tactics, a comprehensive cyber security
playbook will represent tested and successful routines that can be quickly
repeated with minimal customisation or manual intervention.

The successful playbook is developed and honed through network analysis.
 By tapping into workflows and data directly from security information and
event management (SIEM) tools and other enterprise-wide devices, security
specialists can determine which tasks are being performed manually and
routinely.

That data forms the basis of the playbook, which grows to incorporate all
simple and repeatable courses of action that can be synchronised at speed
and scale; such “plays” must be tested and pre-approved for repeated use.

For instance, the cyber playbook for malware remediation might contain
email templates, a list of recommended resources for collecting web-address
reputation scores, steps for collecting data packets, and instructions on
how to add firewall rules, among other tasks.

Don’t recreate: automate

By capturing critical institutional knowledge, security analysts can
determine which workflows should become part of the cyber playbook and
which are likely candidates for automation.

As a result, pre-defined measures can be executed at sub-second speed
without manual intervention wherever and whenever such automation makes
sense.

By adopting a cyber playbook that capitalises on automated and
semi-automated courses of action synchronised across a complex enterprise,
security professionals can effectively counter cyber attacks with
coordinated and comprehensive defensive strategies —strategies that can be
evaluated and repeated on the fly to continually improve response actions.

By automating or semi-automating existing workflows, agencies can
reallocate resources to other, more urgent areas.  Security analysts
perform a critical function, but their non-critical tasks can be performed
more effectively with automation solutions that enable them to focus on
what’s important: continuously secure enterprise operations.

New automation and orchestration technologies make such an approach both
possible and practical.

We know the gap between detection and response grows wider every day, and
we know the speed, versatility, and frequency of attacks have reduced the
effectiveness of traditional threat responses.

Security automation can markedly reduce the current widespread dependence
on manual intervention and passive defensive tools by allowing key
resources to focus on threat analysis and containment, which are essential
to keep complex large-scale systems and networks online.

One organisation that recently tested automation tools uncovered scenarios
for increased efficiencies as part of the remediation of compromised VPN
users.

During the test, the time to support VPN helpdesk tickets dropped from an
average of 40 minutes to fewer than two, which in a production environment
could allow the organisation to allocate its limited security resources on
more strategic tasks.

Given the current size of most security staff, the growing demands on that
staff, and the shortage of available skilled workers, using automation
tools strategically to augment security personnel delivers benefits beyond
the immediate bottom-line boost.

As an added benefit, automating basic processes to simple drag-and-drop
actions makes the attraction and retention of security staff more strategic
and cost effective.  The cyber security skilled worker shortage is a major
issue industry-wide – Cisco’s 2014 Annual Security Report points to a
worldwide shortage of nearly one million skilled security professionals.

By utilising security automation, key hires can then be cultivated for more
complicated security scenarios allowing organisations to benefit from the
ability to tap the right mix of skills for the right tasks at hand.

A sound cyber security playbook will become an analyst’s best friend. It
combines the best personnel, processes, tools, and workflows an
organisation possesses into a dynamic and flexible real-time security
response engine.

A winning coach would never show up to the big game without a proven
playbook in hand; it’s time security professionals adopted the same
practice.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!