EFFECTIVE INCIDENT RESPONSE

Transcription

1 ONLINE REPORT SPONSORED BY: Special Report: Incident Response EFFECTIVE INCIDENT RESPONSE INSIDE P2 PREPARATION IS ESSENTIAL P3 CHOOSE THE SERVICE APPROACH TO INCIDENT RESPONSE P4 ADOPT A MULTI- PRONGED APPROACH TO PREVENT CYBERATTACKS P5 RAPID RESPONSE P6 FIGHTING CYBERCRIME REQUIRES MORE THAN JUST TOOLS

2 PREPARATION IS ESSENTIAL When crafting an incident response plan, preparation is a critical component. Effectively mitigating cyberthreats and developing an appropriate response plan requires much more than simply putting the right technology in place. Without fully understanding the business environment and designing and testing a solid incident response plan, agencies are much more likely to experience far-reaching and damaging breaches. Unfortunately, this problem isn t uncommon. According to a report from the SANS Institute, the primary impediments to effective incident response include a shortage of staffing and skills, lack of procedural reviews and practice, inadequate visibility into events happening across different systems or domains, and lack of comprehensive automated tools. To be effective with incident response, you need to think of it as a program, not just a set of tools, says Tony Cole, Vice President and Global Government CTO at FireEye, a leading provider of real-time, dynamic threat protection. That means knowing what are the crown jewels of the agency, understanding the agency s risk tolerance, and developing and testing a comprehensive plan for incident response. Agencies that do have an incident response plan in place have often had their security teams develop the plan without adequate input from business stakeholders. Without that input, the plan may not fully address the issues, applications and data that are important to the agency s goals and leadership. Processes, Priorities and Tools Traditionally, much of an organization s security budget has been spent on tools to detect cyberbreaches, with considerably less emphasis on incident response. That s a mistake, says Cole. Without adequate incident response, agencies are at risk for the same or worse cyberevents occurring in the future. A major part of any incident response plan must involve processes and priorities. The plan must also specify technology that can not only detect breaches, but also resolve them and prevent them from reoccurring. Many agencies are already using too many different tools. According to research from Hewlett Packard Enterprise, the average organization is using 63 different technology products. Developing an effective incident response strategy requires pinpointing requirements and winnowing the list of tools down to those that can provide the intelligence and analytics required to combat today s cyberthreats. A report from FireEye finds that many organizations still use signature-based tools, which can t keep up with the speed at which attacks are evolving. Many tools provide alerts, but don t allow security personnel to revisit incidents to see what occurred. For incident response, it s best to choose tools that can generate alerts and provide the context necessary to fully resolve problems. FireEye s network forensics, host forensics and log forensic tools, for example, not only generate alerts, but help security personnel go back to examine the entire series of events that led up to the breach. These tools also recommend actions to not only remediate the issues, but prevent them from occurring again. As adversaries continue to create more sophisticated methods for compromising networks and agencies continue to push the boundaries of security with innovative technologies around mobility, the cloud and the Internet of Things (IoT), a solid incident response strategy will become even more important. The best way for agencies to prepare for the inevitable is to have a solid, living, changeable incident response plan along with technologies capable of adapting to the changing threat landscape. 2

3 CHOOSE THE SERVICE APPROACH TO INCIDENT RESPONSE Outsourced services can help fill the gaps in an agency s response plan. To stay ahead of the cybersecurity curve, agencies must have a comprehensive, tested incident response plan in place. And the right tools and capabilities must be in place to support that plan. That s the only way to detect and prevent advanced external threats, insider threats and state-sponsored attacks. While some agencies have the breadth of knowledge and enough skilled staff to manage incident response on their own, many do not. That s not surprising. According to research from Hewlett Packard Enterprise, up to 60 percent of organizations don t have enough skilled security staff onsite to manage their cybersecurity needs. Yet having the right expertise is critical. The fact is that you will get breached, and the entire resiliency of your organization depends on how you handle the response and recovery, says Earl Matthews, Vice President for Enterprise Security Solutions for the U.S. Public Sector at HP Enterprise Services. To ensure that type of resiliency, many organizations opt to use a service that can fill in the gaps where they lack the expertise or capability. In the case of an incident response service, critical capabilities include: Preparation: Agencies need help identifying security controls that will have the most significant impact on their security vulnerabilities, along with tools required to make network design and investigation as easy as possible. Detection and Analysis: Agencies also need tools and mechanisms to detect threats, prioritize and categorize leads, fully scope targeted attacks and proactively hunt for signs of compromise. Ideally, this will include 24x7 monitoring. It s all about following the evidence, says Matthews. It s important to understand how the attacker penetrated the environment and the true extent of what the attacker accessed or stole, he says. The thoroughness of the investigation directly affects the success of the remediation. Remediation: Any incident response plan must include steps to investigate, analyze and determine the most appropriate response, and then communicate and execute that plan. Thorough remediation involves three steps: containing the attack, eradicating the attacker from the environment and preventing the attacker from re-entering. It also essential to implement long-term strategic changes to the environment based on what was learned through examining the attack. The Global Incident Response Service from HP Enterprise and Mandiant can provide all of these services. HPE has long-term experience in providing managed security services to governments and major corporations, while Mandiant s expertise lies in managing advanced persistent threats and incident response using FireEye technology. The deep expertise of the two organizations can help the service team tie cyberincidents with data on previous campaigns they track on a continuous basis. This provides an extremely deep level of analysis and information that might otherwise have been missed. By combining forces, Global Incident Response can provide agencies with proactive investigation, assessment and resolution of the full range of cybersecurity events. It includes 24x7 operational management and administration. That includes not only security devices, but alert monitoring, threat investigation analysis, and remediation, mitigation and recommendations. The services also include a comprehensive threat compromise report for each incident. This will help agency security personnel react immediately by quarantining infected hosts, preventing future occurrences, significantly reducing and eliminating consequences of the breach. 3

4 ADOPT A MULTI-PRONGED APPROACH TO PREVENT CYBERATTACKS As the threat landscape continues to evolve, preventing attacks requires an increasingly multifaceted approach. Whether the work of sophisticated hackers or agency employees clicking on seemingly innocent links, the number of cybersecurity incidents continues to rise throughout the federal government. According to a study by the Government Accountability Office (GAO), the number of information security incidents reported by federal agencies rose from just 5,503 in FY 2006 to 67,168 in FY 2014 a 1,121 percent increase. The result of this rising threat level is far-reaching. It ranges from exposure of sensitive information and corruption of critical systems to devastation of national security not to mention significant expense. There are many reasons why cybersecurity incidents continue to rise despite agencies efforts to detect and resolve incidents. One major factor is the increasing creativity of hackers. As soon as one type of threat is detected and remediated, a newer, more sophisticated type of attack takes its place. And despite deploying more powerful and sophisticated technology to fight these cyberattacks, most agencies still have some manual processes. Also, not all information security technology and processes in place are fully integrated. Detect and Respond Improving cybersecurity requires attacking the problem on two fronts detection and response. While there has been improvement in both areas throughout the government, such as greater use of two-factor authentication and continuous monitoring, there is plenty of room for additional improvement. According to the GAO report, most federal agencies do not fully document their incident response activities. While most agencies document them to some extent, such as identifying the scope of the incident, they often didn t document the impact of the incident or actions taken to prevent the incident from recurring. A comprehensive incident response strategy requires having the most effective possible security toolset. That means employing not only tools like log analysis, SIEM, intrusion detection, network analyzers, vulnerability scanners and Web proxies, but also incorporating functions like analytics and visualization, intelligent packet capture and retrieval. By using an integrated set of tools and functions, agencies will be able to better understand how long the organization has been under attack, how the attacker entered the network, and the extent of the damage. While those types of tools are critical to effective incident response, they won t do the job without an integrated, big picture approach that applies to personnel as well as technology. On the technology side, automating as much of the process as possible and ensuring all tools are fully integrated and visible to each other is crucial. Whether cybersecurity personnel are internal or part of an outsourced service, they must be highly experienced and trained. By taking all these steps, a federally funded research and development center was able to thwart increasingly sophisticated cyberattacks. It s using technology that detects and stops advanced attacks on endpoints by dynamically analyzing traffic, blocking communication and quarantining malicious files. It can also contain systems and remediate them remotely. As a result, the organization has been able to better protect its systems and data. 4

5 RAPID RESPONSE Despite making progress, states and municipalities need better incident response capabilities. It should come as no surprise that cybersecurity is the top priority of state CIOs around the country, and has been for the past several years. The National Association of State Chief Information Officers (NASCIO) recently reported this finding, which underscores the continued concern state and local governments have about the increase in cyberattacks. That includes everything from malicious code and zeroday attacks to spear phishing, hactivism and distributed Denial of Service attacks. These threats can and do affect the privacy and security of confidential data, as well as business continuity of government agencies. And the threats continue to spiral out of control. According to an October, 2015 report from Ponemon Institute, state and local government agencies experience data breaches approximately every twelve weeks. The threats are growing more sophisticated as well. Hackers no longer rely solely on tried-and-true methods like packet sniffing and password code cracking. They ve added more complex threat signatures, such as cross-site scripting, distributed attacks, staging and advanced scanning. The Ponemon Institute report found that on average, federal agencies are better prepared to handle cyberthreats than state and local governments. More federal agencies have incorporated modern technology and processes like behavioral analytics, next-generation firewalls, big data solutions and intelligence sharing. Some states, however, have made significant progress. They re an important model for other state and local governments. California is one of the most mature with a cybersecurity task force, the California Cybersecurity Integration Center, and the Cyber Incident Response Team. California also has a well-developed, comprehensive incident response plan. Maryland has also been fairly successful, establishing a plan to develop rapid response strategies to protect the state from cybercrime. Other states with impressive plans include Idaho, Michigan, Rhode Island, Virginia and Texas. Still More to Do Despite pockets of progress, state and local governments still have a long way to go. In the area of incidence response, for example, only 38 percent of state and local government organizations are confident they could contain a cyberattack. That s in contrast to 52 percent of federal agencies, according to the Ponemon Institute study. Effective incident response requires greater visibility and faster response than most state and local governments can currently manage. It also requires integrated state-of-the-art tools and capabilities. Yet according to a 2014 Center for Digital Government survey, only 63 percent currently employ intrusion detection systems, 68 percent have automated malware protection systems, and only 49 percent have nextgeneration firewalls. Integration is also critical to achieving visibility and faster response. It requires incorporating functions like analytics and visualization, along with intelligent packet capture and retrieval. Using an integrated set of tools and functions, agencies can better understand how long the organization has been under attack, how the attacker entered the network, and the extent of the damage. Using this strategy, Maricopa County in Arizona helped secure the data for its nearly 60 departments, while maintaining compliance with a host of federal and industry regulations. Using a combination of FireEye s Threat Prevention (EX Series) platform, Network Threat Prevention, Host Prevention and Central Management platforms, the county was able to more effectively identify, manage and respond to threats in real-time in a fully automated fashion. This integrated technology suite helps the county s cybersecurity team observe behaviors and categorize trends and malware components. When the system spots an anomaly, it allows for quick analysis and remediation. 5

6 FIGHTING CYBERCRIME REQUIRES MORE THAN JUST TOOLS It s not just about the technology, but also assembling the right team. Government agencies are moving in the right direction by automating manual processes and employing more modern tools like next-generation firewalls, intrusion detection systems and behavioral analytics but that s not enough. While these steps are critical, they re just part of the solution. Without sufficiently experienced and well-trained staff, agencies are likely to miss warning signs of impending attacks. When attacks are identified, they may fail to effectively respond. While having trained, experience security personnel might seem obvious, there s much more to it than that. In some cases, there simply aren t enough trained security professionals for agencies to hire. According to an August, 2015 report from the SANS Institute, 66 percent of organizations, which included many government to spot anomalies and use the tools provided to detect and remediate incidents. The first step is ensuring there is enough staff dedicated to incident response in the first place. That s not always the case. A report from FireEye found 55 percent of organizations don t have a formal incident response team. An effective incident response team should include team members with formal training in incident detection, malware analysis, threat intelligence, forensics and breach management. Security staff that is directly responsible for incident response should definitely be trained on how to quickly identify and respond to likely attacks. The training should be more than a one hour lesson or online tutorial. It should include hands-on exercises and periodic refreshers. Even with appropriate training, the Security staff that is directly responsible for incident response should definitely be trained on how to quickly identify and respond to likely attacks. agencies, said the reason they didn t have an effective incident response process was because of a skills shortage. In many cases, the solution is to provide the appropriate training to existing personnel not only training those tasked with monitoring cyberincidents, but also training other employees on security awareness. However, a survey from Enterprise Management Associates found 56 percent of employees generally receive no security awareness training. Failing to educate users on how to spot suspicious activity means more are likely to fall for spear phishing or social engineering attacks. Training is Critical Besides user awareness training, it s critical to ensure agencies have enough technology staff trained in how overall shortage of skilled cybersecurity professionals, combined with tight budgets, leads many agencies to either outsource the entire incident response process or proceed with a combination of in-house and outsourced professionals. Including skilled outside experts is good for more than meeting budgets and checking boxes. As that is the outsourcer s area of expertise, external personnel are more likely to be up to date on the latest security threats and remediation techniques. Experienced incident response service providers have deep expertise developed over time, maintain profiles of key attack groups, and use tools that help automate investigative tasks and enable experts to quickly evaluate network traffic and host-based artifacts. 6

7 This is Bill. He infiltrates networks every day and proactively detects lurking threats with Advanced Compromise Assessment from Hewlett Packard Enterprise and Mandiant. For better security, think like a bad guy. hpeenterpriseforward.com/fightback Copyright 2016 Hewlett Packard Enterprise Development LP.