Three Steps to Stop a Threat Before It Becomes an Incident

April 19, 2016
| |
3 min read

A few weeks ago, my son brought home a science assignment called Jeremy the Germ, which described how germs propagate. Jeremy is a crafty germ who travels from a student’s sneeze to a pencil that is then shared with a classmate, who chews on it. (I know, gross.)

But this provides an easy entry for Jeremy into the girl’s immune system, where he waits and slowly turns into an infection. That leads to a cold, missed school and a not-so-good time for the young girl and her family.

When a Security Threat Becomes a Major Incident

Not unlike Jeremy the Germ, security threats today are sophisticated, persistent squatters in the security world. They use endpoints such as laptops, desktops, mobile devices and servers to gain access to data and the corporate environment. These hidden threats lie in wait — sometimes it can take almost six months before an organization discovers the threat.

Their goals can range from targeting specific data and gathering information to using legitimate tools and processes to move through the corporate network. Historically, organizations approached these security problems piecemeal, using network and other perimeter controls and then bolstering endpoints with signature-based or sandboxing protection.

But in this era of cloud, mobility and a rapidly proliferating cybercrime industry, building a larger wall, a deeper moat or a stronger defense-in-depth security is insufficient. Cloud, bring-your-own-device (BYOD) and the general consumerization of IT are outpacing the strategies organizations scramble to put in place.

No controls can guarantee complete security and protection. Instead, organizations need an approach that balances a certain level of acceptable risk with smarter detection and response to true threats. With so many technologies and processes out there, it can be overwhelming for organizations to determine the right path to protection. Here is one three-pronged approach that can stop a threat from turning into an incident.

Step One: Smarter Protection

To start, identify areas of risk in your organization and assign levels and criteria of acceptable risk. Foundational protection and prevention technologies that offer endpoint- and network-level controls are key to tuning a security dial toward that level of manageable risk.

Network controls may include firewalls, Web and email security. Endpoint protection and prevention controls include blacklisting/white-listing and various other capabilities in the technology stack such as host-based intrusion detection systems (HIDS), host-based intrusion prevention systems (HIPS) and data loss prevention (DLP).

Then there’s the godfather of endpoint protection: a robust, unified endpoint management platform to automate these security and operational functions. Regardless of the controls you choose, however, they need to be grounded in contextual threat intelligence.

Step Two: Continuous Monitoring, Detection and Operationalized Threat Hunting

Prevention is not foolproof. Even the most rigorous of hand-washing and hygiene can’t always keep germs like Jeremy at bay.

Use endpoint detection and response (EDR) technology built into an endpoint protection solution. EDR technology offers continuous recording and visibility into activity. That information can then be pumped into a security information and event management (SIEM) solution for endpoint and network telemetry.

When combined with continuous monitoring, analytics and threat intelligence, this end-to-end solution can contain potential threats faster, map the threat kill chain in minutes and operationalize a threat hunting platform. Rather than spending time digging into root cause analysis, playing whack-a-mole with endpoint, or cyclically re-imaging machines, EDRs narrow and determine the scope of the threat faster. They contain the endpoint without necessarily wiping it out altogether.

These technologies may require specialized skills and expertise that organizations don’t necessarily have in-house, but there’s no need to flip the switch on EDRs because of this. I recommend starting with a subset of endpoints such as high-value assets — those endpoints with critical data or potential for brand impact, for example. Or if you work with a managed service provider, ask about a continuously monitored solution that is not reliant on signatures or sandboxing technology alone.

Step Three: Continuous Incident Response and Management

Chances are, your organization already has an incident response (IR) strategy and a dedicated or outsourced IR team. However, even the best IR teams and processes fall short unless combined with EDR, network forensics and an automated incident management system. These building blocks accelerate incident response, reduce costs and get to containment faster.

Organizations that approach network and endpoint solutions as silos will end up with a fragmented, time-consuming IR process because incident management and forensics span multiple solutions and technologies.

The above framework is by no means the only approach to reaching your organization’s desired security posture. Jeremy the Germ made it into his target because he found a weak spot and was patient — and security threats will do the same. You must choose the right combination of people, processes and technologies for your ideal security posture, all while keeping protection, prevention, detection and response in mind.

Interested in emerging security threats? Read the latest IBM X-Force Research

Shilpi Dey
Endpoint Strategist and Product Management Lead, IBM

Shilpi is the endpoint strategist and product management lead for endpoint and mobile security services. In addition to a background in computer science, Shi...
read more