2 Do's and 2 Don'ts of Incident Response and Anomaly Detection
Anomaly detection is growing in popularity as organizations get proactive about incident response. These practices help you get the most out of anomaly detection.
By Alan Hall, Blue Coat (now part of Symantec)
With the cost of a breach up 29 percent from 2013 -- and continuing to rise -- according to a recent Ponemon report, enterprise leaders are under mounting pressure to implement security solutions that are effective in detecting threats in this evolving cybersecurity landscape. While organizations generally accept that prevention alone is not enough, data breaches often still go undetected for weeks, months and even years.
Organizations need to know which alarms matter to their organization in order to effectively conduct incident response. Signature-based systems and network management tools are often seen as the traditional approach to organizational security, but these solutions can no longer be the only means for detecting a breach and stopping it before it causes significant harm.
Anomaly detection, which is about enabling proactive incident response by giving security teams the ability to track down potential risks before a simple breach or unusual behavior escalates into a devastating event, is growing in popularity.
Organizations must consider a number of factors when evaluating incident response solutions. Here are four key considerations organizations should keep in mind as they evaluate the best way to prevent a breach, as well as limit the damage when a breach occurs.
Don't Rely on Manual Monitoring Processes
Incident response teams often take a manual approach to security monitoring, tasking team members with monitoring dashboards and identifying simple anomalies. However, this process can be extremely time consuming. It is also prone to human error, due to emotions and judgment, leading to ineffective and inaccurate results.
Additionally, a single metric will likely not indicate an advanced attack. And, while multiple metrics may well identify an advanced attack, humans ultimately can't hold enough related items in their memory.
Do Consider Impact of Shadow IT
While network security was previously contained to the applications vetted and implemented by the IT department, shadow IT and bring-your-own-device (BYOD) practices have made the business environment much more complex. The network perimeter has exponentially expanded, with IT and incident response teams now having to worry about employees working from multiple devices (such as smartphones, laptops and tablets), connecting to multiple networks (office Ethernets, home broadband and VPNs) and using hundreds of applications (enterprise, consumer, productivity or social) that reside across corporate data centers and cloud service providers.
The expanding perimeter introduces countless new endpoints that requires security teams to think differently about their approach to threat detection and prevention.
Don't Follow the Rules
In an attempt to automate some of the manual work involved in anomaly detection, companies often rely heavily on rules and thresholds. However, this approach comes with its own unique set of challenges. For example, thresholds and rules are ineffective and of little use on periodic data.
Additionally, the alerts this approach generates can create a lot of unnecessary noise that distracts the attention of security information and incident response teams.
Do Establish a Baseline of Normal Behavior
Every organization is unique and constantly changing; often moments after a baseline is determined, it can become inaccurate due to changes to the network environment or user behavior. By establishing a dynamic, automated baseline for normal behavior -- often by leveraging packet capture and network forensics recordings -- organizations can identify what normal network and cloud application activity looks like, so they can then identify abnormal activity.
Wrapping up: One Approach Does Not Fit All
These dos and don'ts offer some best practices to consider when implementing an incident response solution leveraging anomaly detection, but it is important to remember that the industry standards for anomaly detection are still evolving. The most important thing for organizations to keep in mind is that they must identify the best solution to meet the needs of their data, activity, patterns and ultimately threats.
Alan Hall is the director of Product Marketing for Network Forensics and Incident Response at Blue Coat, now part of Symantec. He joined Blue Coat through the acquisition of Solera Networks, a leader in security analytics and threat visibility solutions. At Solera Networks, he was responsible for corporate and product marketing as the company grew from a security innovator to a recognized leader in security analytics and subsequent acquisition by Blue Coat. Alan has over 20 years experience with networking and security technology leaders, and he has a BS degree from Brigham Young University and MBA from Utah State University.