There are several layers to security threat management that should be considered before a company can feel confident that they are prepared for an attack. Key areas for threat management include:
1. Threat detection. The initial step is to know there was an attack or compromised system. This is the “detection phase” of threat management, which is core to any IT security plan. Many tools say they “detect and prevent” but many actually only detect a threat as customers choose to run them in span or tap mode (usually for performance reasons.) Detection increases the number of infection signals, such as zero day attacks, APTs, or other system compromises, but further investigation is often required to validate the threat before action can be taken.
2. Existing preventative steps. Even though you have detected a threat, have you actually contained it using existing tools or security devices? Detection does not mean protection. Hundreds of alerts may be received weekly, but is there a way to verify that existing protection layers have been effective or are going to be effective? The only way to know is to dive deeper into the context of the threat.
3. Context awareness of the incident. There are two core context considerations – internal and external. Internal context includes understanding the affected systems’ potential impact and priority as it relates to individuals or departments within an organization; external context includes understanding the infection vectors and their origination from outside sources. If an attack has reached internal systems, can you confirm whether it was the CFO’s PC or a machine in the mail room? Manually pulling user or indicators of compromise (IOC) data from each potentially infected system may be necessary to confirm that an infection has occurred. How quickly security teams can build this picture is a critical component of response time.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.