S = P + D + R: The Response Phase
The final piece of the security equation, S = P + D + R (Security = Prevention + Detection + Response), is Response. While prevention aims to stop attacks and detection aims to find them, response is about mitigating damage and restoring normal operations after a breach is discovered.
The Problem: The time it takes to respond is a major issue. According to the Ponemon Institute, the average Mean-Time-to-Contain (MTTC) a breach is approximately 70 days. This is the time between discovering an attack and getting it under control. This number has not significantly improved over the years, indicating a need for better strategies.
The Solution: The Security Operations Center (SOC), a centralized team responsible for monitoring and detection, also handles incident response. Traditionally, this process has been manual and relies on the expertise of individual security analysts. The modern approach, however, is SOAR (Security, Orchestration, Automation, and Response).
The SOAR Process: Cases and Investigations
SOAR is a technology-driven approach designed to make incident response faster, more repeatable, and less reliant on manual effort.
Attack & Alert: An attack occurs and is detected by a SIEM (Security Information and Event Management) or XDR (Extended Detection and Response) system.
Case Creation: The SIEM or XDR automatically creates a case in the SOAR system. This case is a formal record of the incident.
Case Enrichment: The system automatically adds relevant information, known as artifacts or indicators of compromise, to the case. This gives the security analyst a head start.
Guided Investigation: The analyst follows a dynamic playbook, which is a set of pre-defined steps and procedures. Unlike a static script, a dynamic playbook can change its steps based on the results of the investigation, guiding the analyst through a complex process.
Remediation: The playbook leads to specific remediation steps, such as blocking an attacker, shutting down a compromised system, or applying a software patch.
Automation vs. Orchestration
Automation: The ideal scenario, where a process is fully automated with no human intervention. This is best for repetitive, predictable tasks.
Orchestration: A semi-automated approach where a human "conducts" the response by triggering automated tasks or scripts. This is necessary for "first of a kind" events that cannot be fully automated.
SOAR's goal is to shift processes from manual to orchestrated and, whenever possible, to fully automated.
The Importance of Breach Notification
A critical part of the response is breach notification, especially if sensitive data (like names, social security numbers, or credit card information) is compromised.
Legal Compliance: There are many different laws and regulations, such as GDPR in Europe, that require timely notification. Failure to comply can result in severe financial penalties, such as fines up to 4% of worldwide revenue or €20 million.
Global Complexity: Breach notification laws vary by country and even by state, making it difficult to know exactly who needs to be notified. A good SOAR tool can help by identifying the relevant regulations based on the type of data and the geography involved.
No comments:
Post a Comment