Detect and respond: How organizations are fighting off targeted attacks faster

It doesn't matter how high, deep, or long the IT walls are that security pros build around their networks, it seems attackers find ways to fly over, dig under, or drill through. The most recent Verizon Data Breach Investigations Report found that more than 50 percent of all breaches were caused by some form of hacking -- and it took months to years for more than two thirds of successful breaches to be detected.

[Incident response matters]

As a result of such statistics -- coupled with their own experience of repeatedly cleaning infected systems despite best efforts -- more enterprises have come to the realization that breaches are going to happen.

What matters, today, is how quickly they can detect and respond.

It's a fight Kevin Moore, director of IT at the national law and life sciences law firm Fenwick and West LLP, knows quite well. "Like every other organization, we have many security devices in use to protect our systems. From the network firewall, to application firewalls, monitoring systems, web gateways, to anti-malware applications," Moore says. "But as the advanced threats grow, it's getting more challenging to stop every attack," he says.

Over the past few years, in fact, the FBI has warned multiple times that hackers have been increasingly targeting law firms as a way to obtain sensitive information on clients that work within industries of interest.

With all of this in mind, Moore has been working on ways to automate and speed the time to discover and then cleanse infected systems. One of the tools he turned to was FireEye, Inc. for automated malware forensics. However, because Fenwick has a small IT security team, many of the responses to potential breaches were manual and time consuming.

"When we get malware alerts, from FireEye or our web gateway for example, we'd try to isolate the machine in question, find out who the user is and where they happen to be located. We'd then dispatch a service desk agent to quarantine the machine," Moore explains.

[Understanding incident response: 5 tips to make IR work for you]

That's certainly much more capable and proactive than most organizations today. Yet, considering the speed at which data is being exfiltrated today, Moore knew he would need to be able to move more swiftly. "We'd get data, such as that provided by FireEye, that would show the command and control server the malware was trying to communicate with, and we'd work to respond as fast as we could. But service desk agents and others have many other obligations beyond security, so we needed ways to automate even more," he says.

To shrink that time even more, Moore explored the capabilities of threat management and security analytics vendor NetCitadel. At that time, the company was just starting to develop their Threat Response Platform, Moore explains.

The promise was that NetCitadel would be able to integrate data from Moore's network and application firewalls, anti-malware, forensics, and other applications, and then alert and block attacks based on real-time data. "I would be able to, based on workflow and criteria that I define, identify an attack underway and stop certain activity, such as egress traffic to the IP address of the command and control server," Moore says.

In this example, I've effectively stopped the threat from communicating out to its command and control server. This buys us time. We still need to be fast to respond, but we now have additional time, because we've cut it off," he says.

Yesterday, NetCitadel delivered its threat management platform, ThreatOptics, which, the company claims, incorporates data from anti-malware applications, forensics tools, application and network firewalls, and security event and information management systems. The platform can also use firewalls and web gateways to respond in real time to events.

"Good security today isn't reached with detection, it's also about swift response. The ability to capture and integrate data like this is critical to keeping systems and data secure," Moore says.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about FBIFireEyeInc.IRTwitterVerizonWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place