On decreasing incident response time

Seems like security incidents are occurring more often with mild to significant impact on consumers and various organizations, such as Target and Sony.

Referring to the Verizon Data Breach Report year after year confirms that incident response times to such incidents are increasing, rather than decreasing, with root cause identification of the problems not occurring for months after the security incident in many cases. This can cause a pessimistic view among many security teams, however, there are a lot of good things happening in the security space that I want to share with you.

Many organizations have readily invested in various effective security technologies and personnel training to help improve security posture and minimize risk accordingly. A critical component to the incident response problem is the time associated with weeding through all the false alarms generated by various security devices, including firewalls, intrusion prevention systems, and security reporting agents. The problem is further exacerbated by the growing speeds of networks and network virtualization, where many security tools simply can’t process data fast enough on 10Gb Ethernet (10GbE), 40GbE, or 100GbE network environments or simply lack visibility.

The good news is that solutions are available to help maintain visibility in such high-speed networks. Such solutions can also correlate network transactions with security alarms to help identify problems faster and decrease incident response times. The key is to integrate lossless network recording systems with existing security tools using feature-rich application programming interfaces (APIs). The APIs help with automating security related tasks.

Security automation is key to decreasing incident response time. Imagine being able to automate the retrieval and correlation of network transactions to any security log event aggregated into a security information event management (SIEM) system, or mapping packet data to any IPS alarm, or pinpointing application threads that trigger a specific application performance alarm. This is all possible now with high-speed lossless recording systems and API integration with SIEMs, firewalls, IPS devices, and Application Performance Monitoring (APM) systems. Yes, I am assuming your organization invested in these solutions…

As a side note, real-time NetFlow generation on dedicated appliances is proving to be a good solution where full recording options are not available due to privacy policy conflicts. These solutions can provide much better network visibility than legacy NetFlow implementations that rely on network sampling, especially over 40GbE and 100GbE network environments. NetFlow is coming back in a strong way to provide security teams much needed visibility, NetFlow isn’t just for Network Operations anymore.

The bottom line is this, mainstream security products are becoming more open to integration with third party solutions and high-speed network recording system are becoming more affordable. As a result, the security automation described above will become more prevalent among security operation teams as time goes on and this is a very good thing in my humble opinion.

The security industry as a whole is improving, there is much more collaboration going on now than ever before, and I am seeing some significant improvements being made among hardware and software vendors that make me feel very optimistic about our capabilities to decrease our incident response times moving forward. If you’re interested in seeing some of the concepts discussed here in action, comment on this post, and we would be glad to setup a conference call and provide you a live demonstration of our network visibility technology.

Leave a Reply