We have to get smart about how we perform security: sophisticated threats require sophisticated countermeasures. The premise sounds simple enough, but the security market is being turned on its head as the effectiveness of legacy technologies such as antivirus is questioned and as new technologies shift to real-time analysis and behavior-based approaches for malware identification.
A review of the tools on the market today reveals two distinct approaches:
The first approach focuses on incident response (IR) and damage assessment. Here, indicators of interest identify system infections and then apply intelligence to assess the level of risk associated with a specific organization. IR also exposes any weaknesses in an organization’s defense posture. It is within this fast-growing space that many advanced analytic tools are utilized, for example, botnet detection, internal propagation, and memory analysis. The most important question concerns the amount of information that would be required to perform an analysis within a reasonable timeframe. Too little information could be of little use, while too much information could turn everything into noise.
The second approach focuses on containment and eradication (remediation). Here, traditional antivirus still stands strong, and while it may not be exciting, it remains vital for the operational functioning of organizations. If remediation is not performed properly, systems can continue to be reinfected, or organizations can become locked in costly and time-consuming cycles of system reimaging.
In an ideal world, a single tool would be able to perform some level of detection, provide threat assessment, and eradicate threats – and all within a short amount of time. Such a tool would be considered self-aware and self-healing. In the real world, however, true breach analysis requires a broad set of tools, ranging from external monitoring to forensic investigation. Some tools cover more than others, but no tool is all encompassing, hence the need for a process of breach analysis within incident response.
Breach Found. Did it hurt? reviews the tools available to the enterprise today and discusses their appropriate use. Breach analysis allows an enterprise to confidently establish whether information has been lost; identify which information is being targeted by the malware; understand the actions malware operators are initiating on infected computers; determine how to minimize data exfiltration during remediation of the infection; and subsequently cleanse infected systems. What organization would not want these capabilities?
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.