You’ve been breached. Now what?
According to one study, more than 80% of US companies have been hacked. So if it hasn’t happened at your organization yet, it likely will.
Perhaps you experience a serious operational incident. An intruder inflicts damage on your network, you suffer downtime and your revenue is threatened. Or maybe it’s much less obvious. Someone in IT notices a log file that shows a security incident occurred.
Regardless, the questions are now who is responding, and how? Ideally, there would be a formal approach. Something programmatic, not ad-hoc. You’d build a team and know who is in charge of which tasks.
It’s the classic hero approach. Get a bunch of clever security experts together, empower them and turn them loose. Unfortunately, even that is often not enough.
So, what else is there? Well, a lot of IT groups rely on security information and event management (SIEM) systems. They’re great for getting real-time analysis of security alerts. And they save you from spending hours and hours scouring through log files by hand. This is better than nothing, but still not fully mature.
Emerging Trends in Incident Response
What’s the state of the art approach? An automated response to incidents as they happen. But the challenge is in targeting the responses correctly and avoiding unnecessary disruptions, which is difficult to do by hand.
But a privileged based automated response avoids the excessive amount of time it takes to do this manually. The idea is that when an incident occurs it triggers an automated credentials rotation in real-time to shut the bad guys down. An example is how Lieberman Software and FireEye work together.
Hackers are usually after your data. To get to it they need privileged access. Maybe they got into one of your servers and went into a config file to extract a password. But when you rotate your credentials you block them.
Does that kick them out of your network? No, because you might not know what their entry point was. It could have been a phishing email. Or perhaps a social engineering exploit. But you do know that the valuable thing they had – your privileged credentials – they no longer have. And that keeps them from getting to your prized data.