• United States



Detect and respond: How organizations are fighting off targeted attacks faster

Nov 20, 20134 mins
Data BreachFraudHacking

With targeted attacks constantly finding new ways to break in, enterprises are seeking new ways to rapidly detect and respond to the rising threat

It doesn’t matter how high, deep, or long the IT walls are that security pros build around their networks, it seems attackers find ways to fly over, dig under, or drill through. The most recent Verizon Data Breach Investigations Report found that more than 50 percent of all breaches were caused by some form of hacking — and it took months to years for more than two thirds of successful breaches to be detected.

[Incident response matters]

As a result of such statistics – coupled with their own experience of repeatedly cleaning infected systems despite best efforts – more enterprises have come to the realization that breaches are going to happen.

What matters, today, is how quickly they can detect and respond.

It’s a fight Kevin Moore, director of IT at the national law and life sciences law firm Fenwick and West LLP, knows quite well. “Like every other organization, we have many security devices in use to protect our systems. From the network firewall, to application firewalls, monitoring systems, web gateways, to anti-malware applications,” Moore says. “But as the advanced threats grow, it’s getting more challenging to stop every attack,” he says.

Over the past few years, in fact, the FBI has warned multiple times that hackers have been increasingly targeting law firms as a way to obtain sensitive information on clients that work within industries of interest.

With all of this in mind, Moore has been working on ways to automate and speed the time to discover and then cleanse infected systems. One of the tools he turned to was FireEye, Inc. for automated malware forensics. However, because Fenwick has a small IT security team, many of the responses to potential breaches were manual and time consuming.

“When we get malware alerts, from FireEye or our web gateway for example, we’d try to isolate the machine in question, find out who the user is and where they happen to be located. We’d then dispatch a service desk agent to quarantine the machine,” Moore explains.

[Understanding incident response: 5 tips to make IR work for you]

That’s certainly much more capable and proactive than most organizations today. Yet, considering the speed at which data is being exfiltrated today, Moore knew he would need to be able to move more swiftly. “We’d get data, such as that provided by FireEye, that would show the command and control server the malware was trying to communicate with, and we’d work to respond as fast as we could. But service desk agents and others have many other obligations beyond security, so we needed ways to automate even more,” he says.

To shrink that time even more, Moore explored the capabilities of threat management and security analytics vendor NetCitadel. At that time, the company was just starting to develop their Threat Response Platform, Moore explains.

The promise was that NetCitadel would be able to integrate data from Moore’s network and application firewalls, anti-malware, forensics, and other applications, and then alert and block attacks based on real-time data. “I would be able to, based on workflow and criteria that I define, identify an attack underway and stop certain activity, such as egress traffic to the IP address of the command and control server,” Moore says.

In this example, I’ve effectively stopped the threat from communicating out to its command and control server. This buys us time. We still need to be fast to respond, but we now have additional time, because we’ve cut it off,” he says.

Yesterday, NetCitadel delivered its threat management platform, ThreatOptics, which, the company claims, incorporates data from anti-malware applications, forensics tools, application and network firewalls, and security event and information management systems. The platform can also use firewalls and web gateways to respond in real time to events.

“Good security today isn’t reached with detection, it’s also about swift response. The ability to capture and integrate data like this is critical to keeping systems and data secure,” Moore says.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.