Author: Keshav Kamble
Incidence Response (IR) is a thought-provoking topic for discussions with CISO/CIOs and security architects. Consider a scenario where a burglary is in progress. The alarms are sounding and the monitoring cameras are recording the act in real time. Unfortunately, the burglars are masked men acting swiftly. They complete their crime and flee even before the first responders arrive at the scene. This, despite the fact that the Response Time (RT) is supposed to be under 4 minutes in parts of California.
Now consider the same scenario but the burglars are 10 million times faster and the response time is still a few minutes. Not much would be left to salvage.
This is the state of many Enterprise Security Operations Centers (SOC) today. Incidence response is a critical part of the SOC’s responsibilities but the Security Operators are not equipped with the right tools to respond to data breaches and application security threats in micro-seconds versus at best, minutes.
What are the problems?
The Advanced Security Operations Center’s primary tasks are continuous monitoring, incident & breach response, and upgrading the enterprise security posture based on a continuous feedback loop. For such complex tasks, there is a multitude of tools and monitoring platforms available. Aided with Security Information and Event Management (SIEM), log analytics, transaction co-relations, behavior analytics and other tools, SOCs have been constantly trying to stay ahead of the threats. Despite the availability of these tools, three main problems with SOC’s responses still remain unresolved:
- Incidence response is very slow.
- Incidence response is based on limited or no understanding of the affected application and threats.
- Large numbers of false positives.
Mr. Rishi Shah, CEO of AptusCare, provided a great analogy based on his deep knowledge of the healthcare business. “Medical doctors and surgeons diagnose and perform surgeries with deep knowledge and visibility into organs and cells. To respond to emerging threats in enterprise applications, security professionals also need tools for deep visibility into application ecosystems and threats in real time!”
What are the options?
I completely agree with Mr. Shah as he pointed out the recent example of the ransomware attack on Fetal Diagnostic Institute of the Pacificwhich affected more than 40 thousand patient records. For security professionals to respond to emerging threats in real time, they require powerful platforms with real time capabilitiesthat identify threats, remediate the threats and provide deep application visibility.
Unfortunately, current methods for threat interception are inadequate. They are too complicated, too analytical, and too slow and too often fail.If intercepting threats is so critical, why don’t existing solutions do it better?
Colonel USAF (Ret.) Mr. Michael Hodgeemphatically suggests, “For real time incidence response, any viable solution must optimize on the following two variables:
In addition, these capabilities must be available with zero impact to application architecture, performance and DevSecOps.
To learn more about Avocado and how we can help you stepup your security posture with real time threat response, visit http://www.avocadosys.com. You can also email us at: firstname.lastname@example.org set up a personalized demo.