All Content10 Ways to Accelerate Time to Detection and Response
10 Ways to Accelerate Time to Detection and Response
WHITE PAPER
2. SIZE AND SCOPE: Understand your
environment.
In a previous McAfee® study on incident response,
companies said the most time-consuming incident
response task was determining the impact and
scope of a security incident. That job is made
substantially more difficult if you don’t have an
accurate understanding of how many systems,
applications, and tools are in your environment.
You need a clear map of your assets, how many you
have, their connectivity, and normal traffic patterns
and behavior.
Many IT and security professionals underestimate
how many servers, cloud applications, mobile
devices, etc. the organization has. Do you have
50 virtual workloads, 500, or 1,000? Before you
implement an effective security information and
event management (SIEM) solution, which McAfee
recommends, you need to size your network and
ensure you aren’t going to overload your SIEM from
day one. Also, many don’t have an end-to-end view
of their architecture, what’s critical, and what the
interdependencies are between systems. Many
applications can provide visibility into system and
context and deliver this data into a centralized
security management environment, such as
McAfee® ePolicy Orchestrator® software, to simplify
monitoring.
3
10 Ways to Accelerate Time to Detection and Response
WHITE PAPER
3. CONTINUOUS MONITORING: Watch the data
flows in your enterprise.
Baselining of “normal” levels of activity for systems,
users, and traffic also makes it simpler and faster
to identify anomalous and unusual activity as part
of automated triage. This function is available in
McAfee Enterprise Security Manager, as well as many
analytics packages.
Collect and analyze data on browsing patterns,
DNS logs, netflow traffic, services and processes
running on servers and workstations, and more to
get insight into the “how” of things happening in your
IT environment. If you implement a SIEM solution,
get quick wins by feeding data from the most fertile
grounds of attack first:
-- DNS
-- Perimeter firewalls and routers
-- Virtual private network (VPN) traffic
-- Web application firewalls (WAF)
-- Proxy servers
-- Other network data—traffic logging, netflow
Then, move to Active Directory, endpoint, and areas
where more advanced data is available, such as data
loss prevention tools and threat intelligence. Visibility
for monitoring is well supported today, with off
the shelf content from McAfee Security Innovation
4
10 Ways to Accelerate Time to Detection and Response
Alliance partners who integrate with McAfee ePO
software and McAfee Enterprise Security Manager
(SIEM). In addition, McAfee provides expert-built
content packs that populate dashboards, alarms,
watchlists, and reports automatically to enable
common use cases, including use cases with
partners.
Understand where items are likely to generate
false positives. For example, DNS resolution errors
might create loops that look malicious, but aren’t.
You should be able to document and report back
to the operational teams when you see engineering
or network issues that seem like an attack, but
the real problem is misconfiguration. Once you’ve
established a baseline, you can spot abnormal
network activity or user behavior, identifying true
indicators of attack and indicators of compromise.
Part of this process also involves identifying and
addressing gaps in your monitoring. Are there
systems to which you have limited visibility with your
security tools? Are there applications and services
stood up outside of IT, especially in the cloud, that
aren’t tied into your security protocols? As we’ll
address later, are there third-party systems, cloud
databases, or other portions of your operations that
aren’t under direct IT control? Eliminate blind spots
as much as possible.
Please complete the form to gain access to this content