Orchestrating threat lifecycles for reduced time to detect and respond
LogRhythm’s APJ VP, Bill Taylor-Mountford believes that the reason we are still seeing large data breaches, is because the Threat Lifecycle Management (TLM) workflow is implemented poorly across a large number of diverse security systems.
“Each of these systems offer different user interfaces, inadequate integration with other systems, and lack automation in the areas of advanced security analytics and incident response.
What TLM is essentially, is the framework and the fundamental workflow of the security operations centre (SOC).
Taylor-Mountford said, “It is important to note that an effective TLM does not require a physical 24/7 security operations centre or SOC.”
TLM in the enterprise
But what actually is TLM, and what is its role within an enterprise?
According to LogRhythm, it is a series of aligned security operations capabilities and processes that begins with the ability to “broadly” and deeply assess your IT environment – from end-point to network.
It then ends with the ability to quickly mitigate and recover from a security incident.
Taylor-Mountford said, “This workflow is not novel and it is and has been the core foundation of SOC monitoring and response capabilities.”
LogRhythm’s TLM solution is delivered via a unified platform with which organisations can evaluate alarms, investigate threats and respond to accidents.
According to the VP, their automated security analytics capabilities can also automate the detection and prioritisation of real threats. It also provides mechanisms to orchestrate and automate the incident response workflow.
He also said LogRhythm’s three main advantages are that they are able to collect the widest variety of machine data in real-time. These include security events, audit logs, system and application logs, flow data and more.
Secondly, something called Machine Data Intelligence (MDI) fabric uniformly classifies, contextualises, and normalises data from over 750 different types of systems and devices.
Taylor-Mountford described, “Basically, no one knows more about what log data means than us.”
Last but not least, is their patented AI Engine which employs a variety of sophisticated analytical techniques, including machine learning, behaviour profiling, statistical analysis and black/ whitelisting.
“AI Engine detects threats that can only be seen via a centralised ‘big data’ analytics approach. It also corroborates threats detected by other security sensors with relevant data from across your environment.”
Mean time to detect and respond
Technology is used to the voluminous amount of data coming from all the different point solutions. Actually, it is ensuring analysts are looking at the right data for them to quickly detect and mitigate threats.
Taylor-Mountford pointed out, “This is how we drive down the mean time to detect (MTTD) and the mean time to respond (MTTR). How successful your TLM is should be measured by these two factors.”
He claimed that LogRhythm’s solution helps with the workflow and processes needed to reduce MTTD and MTTR. With a centralised workflow that uses automation where possible, organisations can gain human efficiencies and optimal TLM as well as manage the impact of cyber incidents better.
“We are on the end of having to play catch up with hackers as threats today are unpredictable and increasingly sophisticated.
“Processes need to therefore be streamlined, constantly re-visited and taken from a unified approach to ensure that they are aligned with the objectives. But to realise effective TLM, investment in people and technology must not be ignored, in order to leverage automation for more efficient threat discovery capability,” Taylor-Mountford emphasised.
Evolving the TLM
As global-scale attacks like WannaCry and Petya demonstrated, threats today are becoming more successful and unfortunately, prevention-based tactics are no longer enough to protect companies from attacks.
The VP said, “The way forward is to reduce MTTD and MTTR and only by combining people, process, and technology, can organisations sort through the noise, identify and act on high-priority threats.”
For example, before any threat is detected, organisations would first need to monitor, collect and audit data – security event and alarm data, log and machine data, or forensic sensor data – from across the company to establish visibility of any possible behavioural anomaly.
With these data on hand, organisations can then analyse collected data with search and machine analytics to detect threats.
Yet, as there could be cases of false positives, organisations need to ensure there is an efficient qualification process to evaluate accurately a great number of alarms with less human resources – time is of the essence here.
Once threats have been qualified, companies need to investigate if the security incident has occurred or is in progress so that a correct response can be made.
Once an incident is qualified, every second counts when minimising or eliminating its risk to the business. With automation, organisations can reduce MTTR and respond to threats quickly because of their easy access to updated incident response processes and actions.
Taylor-Mountford concluded, “Finally, once the security incident is neutralised, efforts must be spent on recovering effectively and on a timely basis to ensure business continuity.
“It is also imperative for the security team to have access to all information surrounding the investigation and incident response process to ensure there were no collateral damage or any back doors left behind for threats to return.”