True Detectives: VARs On The Case As The Need For Incident Response Strategies Gets More Evident Every Day

Retail giant Target had many of the latest technologies in place to protect its critical systems and had a service provider remotely monitoring its network security appliances, which generated an alert on the malware responsible for its massive data breach.

Incident response is where it all broke down when attackers struck the company in November. The alert should have triggered an investigation by one of the hundreds of IT personnel staffing its Minneapolis-based security operations center.

Like many other large and midsize businesses, Target likely was hampered by outdated incident response processes or a plan that wasn't regularly tested and adjusted to changes to the environment, said Chris Camejo, director of consulting and professional services at NTT Com Security. Poorly configured systems that generate too many false alarms compound the problem by adding to the risk that a real threat won't be investigated and contained until it is too late, Camejo said. "Target did almost everything right, but they appeared to have messed up on the people side of the equation," Camejo said. "In this case there was an in-house incident response capability, but they didn't respond to the alerts."

[Related: How To Build An Incident Response Plan]

The pendulum in the security industry has shifted from threat prevention to threat detection, but incident response is often isolated and rarely part of the products on the market, solution providers tell CRN.

Terry Kurzynski, a senior partner at Chicago-based solution provider Halock Security Labs, said he is increasingly returning to previous clients months after deploying their network security appliances to either address a security incident or assist with poorly maintained systems. Organizations were eager to purchase technology designed to detect so-called advanced threats, but they constantly stumble over alerts or servicing the systems they have, said Kurzynski, whose company focuses on digital forensics and security incident response. "Clients are implementing but they're not able to interpret the alerts correctly or six months later they've taken their eye off the ball and can't remember the last time they checked the console," Kurzynski said.

TUNING OUT FALSE POSITIVES

Much of the attention on incident response is being driven by the rise of network security appliances that are uncovering previously unseen malware infections on workstations and servers. FireEye gained early success with its appliance line for shining a light on the number of threats easily evading antivirus and bypassing firewalls, said John Kindervag, vice president and principal analyst at Forrester Research.

FireEye’s competition has increased with security vendors rushing out similar features and services. But many of the technologies require a careful adjustment to the noise-to-signal ratio, Kindervag said. Incident responders need to a way to tune out false positives or threats that pose a low risk so they can respond to the most critical problems, he said. "It's been a constant struggle to identify and address serious threats before they result in a breach," Kindervag said. "The process still hasn't been adequately addressed by [security vendors] or the businesses deploying the technology."

Managed service providers are in a position to provide incident response capabilities, but they have to earn the trust of their clients by getting to know their most critical systems and the intellectual property that matters most, said NTT Com Security's Camejo. The channel is used to monitoring systems and generating reports, rather than providing blocking and tackling services, Camejo said. "In order to stop an attack in a meaningful way you have to understand the client and the crown jewels that they are trying to protect," Camejo said. "There are many providers that are entrenched in doing things the way they always have, only monitoring firewalls and IPSes for new signatures that come out."

NEXT: Automating Incident Response

AUTOMATING INCIDENT RESPONSE

For solution providers, platforms that combine network and endpoint monitoring with external threat intelligence for threat detection are gaining the attention of enterprise business executives.Automated incident response is a growing capability being bolted onto them.

Intel Security (formerly McAfee) is aiming at automating incident response. Executives say users of its networking devices and endpoint security software can isolate infected systems, retrieve malware samples and clean systems

Other companies specializing in automation include Hexis Cyber Solutions, whose line of HawkEye defense and analytics can detect attacks and remove malware infections. More specialized platforms are on the horizon.

Security vendor startup Tanium secured $90 million in its second round of financing round in June. The Berkeley, Calif.-based security vendor combines reliability and security, providing patch management with the capabilities of removing applications that cause problems. It can detect and halt processes, including those behind malicious executables.

Tel Aviv-based startup Hexadite emerged from stealth mode in July with its automated incident response platform aimed at rapidly investigating alerts and remediating threats.

And Waltham, Mass.-based Countertack Sentinel pulls file and process behaviors into a big data Hadoop analytics cluster for early threat detection for incident responders.

Spending on new technologies alone will not create a more secure environment, cautioned Paul Vixie, an Internet pioneer, domain name system expert and security industry luminary. Incident responders need more actionable data to make risk-based decisions on threats, said Vixie, who recently founded Farsight Security, which specializes in a subscription service for specific threat intelligence data. The Target data breach and the line of high-profile data breaches that have followed should get enterprises to consider the true cause of most security lapses, Vixe said.

The retail industry is late to the information-sharing process, driven instead by compliance goals laid out in the Payment Card Industry Data Security Standards, a set of guidelines set up by the credit card brands to self-regulate the protection of credit and debit card data. The Target beach prompted the Retail Industry Leaders Association to form the Retail Information Sharing and Analysis Center to share threat intelligence data. Hopefully, threat sharing among competitors can help enterprises build stronger networks, addressing configuration weaknesses and poor internal processes that give attackers easy access in the first place, he said.

"After you've been broken into and you've lost your CIO or CSO and been in the papers, that's when someone can come and get you to build it better," Vixie said. "We cannot sprinkle magic security pixie dust over what you have built. It cannot be secured at any price. We have to get you to change the way you do security because the way you've been doing it was asking for trouble."