US telecommunications firm IDT has reduced its incident response from 12 hours to 2.5 hours through integration, consolidation and automation.
The Newark-based company was dissatisfied with its inability to respond to breaches and isolate affected system in less than 30 minutes on average.
IDT also wanted to reduce the average 12 hours it took to gather forensic data and carry out remediation processes.
“A 30-minute window of exposure and a 12-hour manual response was far from ideal,” said Golan Ben-Oni, chief security officer at IDT.
“Especially given the volume of security events and the need to focus attention on identifying and defending against sophisticated, targeted attacks,” he said.
Ben-Oni notes that the traditional incident response infrastructure is a “fragmented patchwork” of endpoint and Siem (security information and event management) tools, which do not inter-operate well.
“We were looking for integration and, ideally, automation to reduce our response times and make more effective use of security personnel,” he said.
After considering technology offering from various suppliers, IDT chose the InSight Platform from AccessData.
“AccessData was willing to work with us to automate incident response, expand endpoint and malware analysis capabilities, and to move beyond containment to comprehensive remediation,” said Ben-Oni.
The InSight Platform was able to integrate with IDT’s existing Siem from Splunk. It is also designed for easy integration with other main Siem suppliers such as HP ArcSight and IBM Q1.
More on security automation
- Twitter uses open source to automate security
- DevOps and security: Coexistence depends on automated security tools
- NetCitadel automates security threat assessment and response
- Expert: Security automation can thwart attacks on cloud computing
- Automation key to balancing agility and security, says AlgoSec
Alerts from the Siem trigger the InSight Platform to isolate an affected system automatically within 30 seconds to ensure it can communicate only with the InSight Platform.
Manual isolation was taking IDT 30 minutes on average. This represents a reduction of just over 98%.
From the moment of isolation until remediation, all user web browsing activity is redirected to a security awareness training web page hosted on the InSight platform.
InSight also automatically retrieves forensics and incident response data and then analyses any malware that is found to identify what type of threat it is, what it is designed to do, and the severity of the threat.
This saves security analysts from having to take a snapshot of what is running in computer memory and what programs are running before they could carry out an analysis.
The automated analysis quickly identifies the command and control address that it connects to that helps identify other infected endpoints.
“The automated malware triage takes minutes and is highly cost effective, eliminating the need to engage malware analysis teams for common variants of malware,” said Ben-Oni.
The cost of relying on manual processes is much higher, he said. Typically, forensic analysis can take several days and costs around $25,000.
Manual malware analysis can take anywhere between four to eight hours or 24 to 48 hours when it involves external services.
Before automation, each incident was costing IDT around half a day in lost IT productivity to recover systems and a full day in lost employee productivity.
First, the InSight Platform’s automated malware triage and analysis identifies the most potentially threatening binaries first through static analysis.
Next, the automated secondary analysis entails simulated code execution to provide instant dynamic analysis results.
Finally, the InSight Platform gives IDT the ability to scan the enterprise to identify all compromised nodes and perform comprehensive batch remediation.
“This is done automatically and quickly, eliminating time-consuming, manual processes that only exacerbate an organisation’s vulnerability during a security breach,” said Ben-Oni.
Working with IDT to automate all the processes in its incident response workflows has led AccessData to put more focus on the automation features within the InSight Platform.
More on AccessData
- Royal Military Police cuts digital forensics costs with distributed processing
- Ponemon offers grim picture of information security incident response
- IT giants turn crime-fighters with digital forensics partnership
- Rooting out a rootkit: Stage two -- Immediate actions
- Data reduction software accelerates computer forensic investigations
“We were more focused on consolidation, but since then we have refined the generic automation features more accessible and user friendly,” said Lucas Zaichkowsky, enterprise defence architect at AccessData.
These capabilities, such as isolating systems on the network, are now pre-set options that are of particular interest to organisations looking to expand their security operations capabilities, he said.
This includes small and medium sized businesses that have a lot of security operation because they have significant intellectual property or they form part of critical national infrastructure.
These companies also benefit from the fact that the InSight Platform consolidates a lot of the capabilities that they would otherwise have to get from multiple point products.
This would include tools for malware analysis, system isolations, retrieving disk images and memory analysis.
“Instead of having to acquire a series of tools and point products and then integrate them, it is a lot easier if they have one platform that has all of the necessary capabilities built in,” said Zaichkowsky.
The only point of integration that the security teams have to worry about is between the Siem and the InSight Platform.
But Zaichkowsky points out that automating can be achieved without a Siem. The value comes through being able to connect different points in a security infrastructure and automate workflows between them.
“With a next-generation firewall that sees malware as it comes across the network, for example, we can automatically confirm with the endpoints whether or not the malware executed,” he said.
“We can also report on the extent of the damage and who else was affected, which would otherwise be a manual process,” he added.
The value of automation is that is enables companies to do manual processes more efficiently, which means security teams can do more without increasing the number of people on the team.
This is important for many companies that are struggling to find people with the security skills they need because automation enables them to use the people they have more efficiently.
Consolidation is also a benefit in the light of the global security skills shortage because it enables a more comprehensive view that can be understood and acted upon by less experience security analysts.
It is easier for companies to find entry-level security analysts who can work in an environment that has a single cohesive interface and that does not require expertise in several different point products.