10 Ways to Accelerate Time to Detection and Response

WHITE PAPER 2. SIZE AND SCOPE: Understand your environment. In a previous McAfee® study on incident response, companies said the most time-consuming incident response task was determining the impact and scope of a security incident. That job is made substantially more difficult if you don’t have an accurate understanding of how many systems, applications, and tools are in your environment. You need a clear map of your assets, how many you have, their connectivity, and normal traffic patterns and behavior. Many IT and security professionals underestimate how many servers, cloud applications, mobile devices, etc. the organization has. Do you have 50 virtual workloads, 500, or 1,000? Before you implement an effective security information and event management (SIEM) solution, which McAfee recommends, you need to size your network and ensure you aren’t going to overload your SIEM from day one. Also, many don’t have an end-to-end view of their architecture, what’s critical, and what the interdependencies are between systems. Many applications can provide visibility into system and context and deliver this data into a centralized security management environment, such as McAfee® ePolicy Orchestrator® software, to simplify monitoring. 3 10 Ways to Accelerate Time to Detection and Response WHITE PAPER 3. CONTINUOUS MONITORING: Watch the data flows in your enterprise. Baselining of “normal” levels of activity for systems, users, and traffic also makes it simpler and faster to identify anomalous and unusual activity as part of automated triage. This function is available in McAfee Enterprise Security Manager, as well as many analytics packages. Collect and analyze data on browsing patterns, DNS logs, netflow traffic, services and processes running on servers and workstations, and more to get insight into the “how” of things happening in your IT environment. If you implement a SIEM solution, get quick wins by feeding data from the most fertile grounds of attack first: -- DNS -- Perimeter firewalls and routers -- Virtual private network (VPN) traffic -- Web application firewalls (WAF) -- Proxy servers -- Other network data—traffic logging, netflow Then, move to Active Directory, endpoint, and areas where more advanced data is available, such as data loss prevention tools and threat intelligence. Visibility for monitoring is well supported today, with off the shelf content from McAfee Security Innovation 4 10 Ways to Accelerate Time to Detection and Response Alliance partners who integrate with McAfee ePO software and McAfee Enterprise Security Manager (SIEM). In addition, McAfee provides expert-built content packs that populate dashboards, alarms, watchlists, and reports automatically to enable common use cases, including use cases with partners. Understand where items are likely to generate false positives. For example, DNS resolution errors might create loops that look malicious, but aren’t. You should be able to document and report back to the operational teams when you see engineering or network issues that seem like an attack, but the real problem is misconfiguration. Once you’ve established a baseline, you can spot abnormal network activity or user behavior, identifying true indicators of attack and indicators of compromise. Part of this process also involves identifying and addressing gaps in your monitoring. Are there systems to which you have limited visibility with your security tools? Are there applications and services stood up outside of IT, especially in the cloud, that aren’t tied into your security protocols? As we’ll address later, are there third-party systems, cloud databases, or other portions of your operations that aren’t under direct IT control? Eliminate blind spots as much as possible.
Please complete the form to gain access to this content