Removing the bottleneck from the incident response process

Recent years have shown that an organization’s ability to quickly perform the attack investigation process equates to saving money and reputation.

A bottleneck in the investigation process usually occurs when performing a manual deeper dive in order to understand the scope and context of the alerts flagged by the detection tools. When combining this with the ever-growing number of alerts requiring investigation and the fact that most of these alerts are being handled by a very small group of people, you realize that the problem is severe.

The importance of fast response

IBM’s breach analysis report from July 2019 revealed that on average, organizations took 206 days after initial infiltration of a data breach to discover that the attack occurred. The remediation time stretched for another 73 days after the discovery period.

That report also revealed that organizations that managed to reduce the investigation and response process to fewer than 200 days reduced breach costs by $1.23 million.

The time it takes hackers to infiltrate a targeted network is getting shorter.
State-sponsored hackers pull in the best hackers worldwide and can infiltrate a system in as little as 19 minutes (Russia) according to CrowdStrike’s annual report. Independent attackers average around 10 hours.

The problem is the huge disparity between infiltration and response times. Ideally the threat should be identified and isolated immediately. If it’s not, as more and more time passes, the hackers can target more hosts, taking over and shutting down systems or silently extracting precious data in small amounts without being detected for months.

How the bottleneck happens

Many aspects of the security process are automated nowadays. Prevention and detection tools flag potential threats and (try to) automatically stop them from executing. While the techniques used to identify threats and create alerts vary widely from identifying predefined and preprogrammed patterns to machine learning and artificial intelligence, the end result is the same – these threats are now waiting in a queue to be looked at, which is the main reason for Alert Fatigue in the security industry.

This massive amount of daily alerts leads to the real problem: The triage and investigation process of these alerts is time consuming and complicated. Most security teams do not have good enough visibility into their own environment while others are struggling to store the needed forensics data to support a deeper investigation.  High level metadata logs, collected by the SIEM products, is typically not enough and provides a very limited understanding of what actually happened. This means that the majority of the process falls on the security personnel, who have to manually research for new evidence in order to understand where the breach came from and answer what was accessed, how the infiltration happened, and what is the context and scope of the breach.
Without forensics data that goes deeper than traditional logs, the security personnel investigating each alert will require days, and sometimes weeks, to find these answers.

How Network Detection and Response (NDR) accelerates the investigations process

We understand that in order to remove the bottleneck from the process, it’s vital to collect, analyze, correlate and visualize data from a variety of different sources. WireX Systems Network Detection and Response (NDR) Platform improves workflow and response times, by delivering exact answers and visualizing them in a way that enables even entry level operators to respond as experienced analysts.
By automatically doing the heavy lifting of data analysis and providing built-in views to visualize the necessary data in different dimensions (including lateral movement, file uploads and downloads across different protocols, connections to specific hosts, DNS requests and so on) the platform is relieving the pressure from the security personnel to dig through mountain of partial pieces of information and then trying to manually “glue” them into one coherent story.
At the heart of this powerful SOC platform designed to simplify alert triage is the Contextual Capture™ technology that goes well beyond capturing raw packets and continuously translates the network payloads into easy-to-understand actionable intelligence. The data is then automatically categorized and compressed to enable up to 25 times more data storage efficiency.

This automatic process of analysis and categorization enables visualizing the complete story in minutes (in contrast to the 206 days industry statistics) and saves precious time by eliminating the bottleneck of manual investigation.

Avoid the $100 million bill

Desjardins Group, a Canadian lender, suffered a breach in 2019 in which access to 2.9 million members was obtained at a cost of $53 million.

Marriott International acquired Starwood Hotels in 2016. In 2018, Marriott found that over 100 million users’ data, including names, passport numbers and credit card information, had been hacked. The slow response and identification time cost the company over $100 million.

While these are two extreme examples, the average cost of an infiltration is $3.92 million – still more than what most companies are willing to risk.

The frequency of attacks is also increasing, with nearly 50% of businesses reporting breaches, and 4 out of 10 being hit multiple times. An insidious example is the LockerGoga malware attack targeting industrial companies, which shut down user access to equipment and login. Within minutes of infiltration, the ransomware starts wreaking havoc within a system. Organizations are sometimes tempted to quietly pay in order to get access restored.

A better return on investment can be created by factoring in the average cost per breach and the increasing frequency.

Efficient incident response process is a top priority for every organization who is taking security seriously and is a critical factor in minimizing the negative business impacts.

Contact WireX Systems today for a free demo of our NDR platform to see it in action.

linkedin facebook twitter

Learn more about WireX paradigm shift to Incident Response

Top 3 requirements to turbocharge your Incident Response

Read about WireX Systems Incident Response Platform