Perhaps the main priority when considering how to deal with cyberthreats is to reduce the amount of time it takes to respond to a threat after it has been detected. Mazen Dohaji, LogRhythm Regional Director, Middle East, tells us of the benefits of implementing Threat Lifecycle Management.
What is the key to faster detection and response to cyberthreats?
In order for organisations to improve their mean time to detect (MTTD) and mean time to respond (MTTR) to cyber threats, they need to shift their resources and focus from prevention-centric security strategies to strategies centred on threat detection and response. Security teams often lack effective tools, automation, and processes for streamlining threat investigations and incident response.
These challenges are evidenced when looking at recent data breaches where the time it took for the affected organisation to discover and respond to the data breach was measured in months, and in some cases years. However, data breaches can be largely avoided if you detect and respond to the threats quickly. The earlier an attack is detected and mitigated, the less the ultimate cost to the business will be. To reduce the MTTD and MTTR, an end-to-end detection and response process-referred to as Threat Lifecycle Management (TLM)-needs to be implemented.
How do LogRhythm products provide an end-to-end workflow when they are guarding against cyberthreats?
LogRhythm’s products provide an end-to-end workflow – forensic data collection, discovery, qualifying, investigation, neutralising, and recovery.
- LogRhythm collects and centralises all log and machine data while network and endpoint forensic sensors provide meaningful data to further extend visibility, in order to classify and contextualise captured data
- Machine analytics analyse all collected data -detecting both routine and advanced threats automatically enabling organisations to efficiently hunt for threats and reduce MTTD.
- With LogRhythm’s 100-point risk-based priority score, organisations will know where to spend their time effectively, while advanced drill down capabilities provide immediate access to rich forensic detail.
- Case dashboards and a secure evidence locker centralises all forensic data to provide real-time visibility into active investigations and incidents.
- Easily accessible and updated incident response processes, coupled with pre-qualified SmartResponse™ automated playbook actions, drastically reduce mean time to respond to threats.
- LogRhythm’s incident response orchestration provides central access to all forensic investigation information for rapid recovery.
How do LogRhythm products differ from traditional prevention-centric strategies?
While prevention-centric software is incredibly important for organisations and should not be overlooked, it should be considered basic cyber hygiene. It is something all organisations should be doing daily, but isn’t going to help stop a nasty virus from corrupting their immune system. Put simply, prevention-centric strategies just are not enough on their own. LogRhythm products provide the visibility, automation and detection capabilities necessary to detect today’s advanced persistent threats. In doing so, the technology puts organisations a step ahead of cybercriminals by providing an end-to-end security workflow that combines people, process, and technology, and empowers organisations by sorting through the noise to highlight and investigate high-priority threats.
How does Threat Lifecycle Management put enterprises one step ahead of their attackers?
Threat Lifecycle Management is a series of aligned security operations capabilities and processes that begins with the ability to ‘see’ broadly and deeply across the IT environment, and ends with the ability to quickly mitigate and recover from a security incident. The TLM workflow is not novel; it is the core foundation of the security operations centre (SOC) monitoring and response capabilities. The reason large data breaches still occur is because the TLM workflow is implemented ineffectively across many diverse, disparate security systems, each offering different user interfaces, inadequate integration with other systems, and lacking automation in the areas of advanced security analytics and incident response. Discovery of potential threats is accomplished through a blend of search and machine analytics. These threats must be quickly qualified to assess the potential impact to the business and the urgency of additional investigation and response efforts. When an incident is qualified, mitigations to reduce and eventually eliminate risk to the business must be implemented, and once the incident has been neutralised, full recovery efforts can commence.
How does Threat Lifecycle Management allow enterprises to see broadly and deeply within their IT environments?
Before any threat can be detected, organisations must be able to see evidence of the attack within the IT environment. Because threats target all aspects of the IT infrastructure, the more you can see, the more ably you can detect. There are three principle types of data that should be focused on: security event and alarm data, log and machine data, and forensic sensor data. While security event and alarm data is typically the most valuable source of data for a security team to find evidence of a successful attack, there can be a challenge in rapidly identifying which events or alarms to focus on, as tens of thousands might be generated on a daily basis. Log and machine data can provide deeper visibility into an IT environment – recording on a per-user, per-system, per application etc. basis – to illustrate who did what, when and where. Once an organisation is effectively collecting this data, forensic sensors can provide even deeper and broader visibility.
How does Threat Lifecycle Management respond if there is a phishing attack occurring?
Unfortunately, phishing attacks are incredibly common and they target the weakest point in any organisation’s perimeter – the employees. While organisations can do their due diligence by educating their employees on cyber security best practices, they can never be 100% sure that a phishing scam won’t infiltrate their network. Prevention tactics unfortunately will not always stop an employee from clicking on a dodgy link in a convincing email on a work computer, which is where a combined workflow of people, process and technology is needed. With Threat Lifecycle Management, organisations can detect and neutralise a breach, before data is stolen. When organisations can see broadly and deeply across their IT environment as well as having the ability to quickly mitigate and recover from security incidents, it allows them to defend their networks from the phishing attacks that scam their employees.
Does Threat Lifecycle Management have the capacity to escalate the case priority of an attack?
Yes. While most organisations have an array of security products to prevent a wide range of attacks from being successful, in some cases these technologies can only warn an attack may be in process or has occurred. In these cases, events and alarms are generated and the challenge most organisations face is rapidly identifying which events or alarms to focus on – as tens of thousands might be generated on a daily basis. However, with Threat Lifecycle Management, organisations can have full visibility coupled with machine analytics in order to stand a chance at detecting and responding to threats with the highest priority. The goal of using machine analytics is to help organisations realise a ‘risk-based monitoring’ strategy through the automatic identification and prioritisation of attacks and threats. This is critical for both detecting advanced threats via data science-driven approaches, as well as helping orient precious manual analytics capabilities to the areas of highest risk to the business.
How does Threat Lifecycle Management determine if a user account is accessing systems it usually doesn’t?
The cybercriminal is not always an anonymous hacker based miles away, an attack often comes from within an organisation and from its own employees. The insider threat, either from a disgruntled employee or an employee that has simply made an innocent mistake, is a very real and difficult threat for organisations to mitigate. However, with Threat Lifecycle Management, the automation and AI capabilities can help organisations deal with this quickly. AI can be used to automatically generate behavioural whitelists of ‘normal’ activity to help identify suspicious behaviour patterns and automatically identify and alert on potential threats and breaches. Once an employee is behaving in a way that the system deems to be ‘abnormal’ for their role, or their usual behaviour, it will be flagged immediately to the security system in order for them to begin the investigation process of the lifecycle.
Is it possible to use the system to disable a user’s account if it is under attack?
Yes. When an organisation detects a compromise, rapid response can mean the difference between quick containment and a damaging data breach. To that end, LogRhythm’s Threat Lifecycle Management platform includes our SmartResponse technology which enables automated incident response, with optional approval steps so that the SOC Analyst can review the situation before executing countermeasures.
Should an account compromise be suspected, an account can be automatically disabled, and access denied – no matter what device they use. Furthermore, multiple SmartResponse actions can be executed from a single alarm, enabling simultaneous or stepped actions.