Best practices for threat management
by Mike Horn - CEO at NetCitadel - Monday, 14 October 2013.
1. Threat detection. The initial step is to know there was an attack or compromised system. This is the “detection phase” of threat management, which is core to any IT security plan. Many tools say they “detect and prevent” but many actually only detect a threat as customers choose to run them in span or tap mode (usually for performance reasons.) Detection increases the number of infection signals, such as zero day attacks, APTs, or other system compromises, but further investigation is often required to validate the threat before action can be taken.

2. Existing preventative steps. Even though you have detected a threat, have you actually contained it using existing tools or security devices? Detection does not mean protection. Hundreds of alerts may be received weekly, but is there a way to verify that existing protection layers have been effective or are going to be effective? The only way to know is to dive deeper into the context of the threat.

3. Context awareness of the incident. There are two core context considerations – internal and external. Internal context includes understanding the affected systems’ potential impact and priority as it relates to individuals or departments within an organization; external context includes understanding the infection vectors and their origination from outside sources. If an attack has reached internal systems, can you confirm whether it was the CFO’s PC or a machine in the mail room? Manually pulling user or indicators of compromise (IOC) data from each potentially infected system may be necessary to confirm that an infection has occurred. How quickly security teams can build this picture is a critical component of response time.

4. Contain. Armed with rich threat context, security analysts can make sure sensitive data sources, key personnel, or entire departments are treated with high priority and receive an elevated response. Protective actions can include limiting communications, blocking IPs and domains, network segment isolation, increased logging, additional scans and more. One key aspect of containment is to prevent the exfiltration of data and further communication with external command and control servers. This key step often involves the update of block lists for dozens if not hundreds of devices often from multiple vendors. Automating enforcement updates provides the best assurances, however, if the update is done manually, verify that all necessary updates to all devices have been completed. It just takes one out-of-date device to allow additional exfiltration of intellectual property or to allow an infection to spread.

5. Confirm. Next is to evaluate that enforcement is in place. Are all enforcement devices really updated and providing protections? The IT security should maintain an audit trail of all responses over time. In a large-scale environment, ensuring up-to-date enforcement of current and newly added devices can be subject to human error if the audit trail is maintained manually and updates are performed manually. Remember that enforcement is subject to priorities influenced by internal and external context. This means that after high priority internal systems and networks are secured, there may be another round of analysis and enforcement needed for incidents deemed a lower priority.

6. Block list management. Understand all the objects, rules, and lists in place. Large networking environments mean large enforcement lists and potentially complex policies. These must be organized, shared with the security team, and managed centrally to limit duplicate efforts and ensure consistent security. When responding to frequent or complex security events, your network is only as strong as its weakest link, make sure to double check lists, rules, and object updates to ensure consistency.

7. Test everything. Everything should be tested more than once to be sure both automation and manual processes are properly in place. Remember that even if you don’t test, there are more than enough hackers and penetration testers out there to test your systems for you. At a minimum, perform a conformance test and plan larger regression tests every quarter.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th