Flying Blind

With all the news about data breaches lately, it’s not particularly surprising to wake up to headlines describing yet another one.  What is perhaps a bit surprising, however, is the common theme that seems to exist in many of the breach stories.  Time and time again, when organizations get breached, they find out the hard way that they don’t have the endpoint and network visibility they thought they did.  The necessary data to perform the forensics required to reach an analytical conclusion is simply missing.  Further, there is no way to remedy this situation – if the data was not properly recorded when it traversed the network or endpoint, there is simply no way to access it.

What are some of the reasons that data is not available come breach response time?  Let’s take a look at a few of them.

·         Collection: One of the goals of a security program is to ensure that the necessary network and endpoint data are collected.  Unfortunately, this is often a challenge for even the most mature of security programs.  In some cases, organizations may not have their networks and endpoints properly instrumented for collection.  In other cases, organizations may not be properly equipped to retain and expose for analysis the volume of data created by the network and endpoint instrumentation.  Either way, when it comes time to investigate, the relevant data will not be available.

·         Visibility: More data doesn’t necessarily mean more visibility or coverage.  There is an important distinction between the volume of the data and the portions of the organization that it provides visibility into.  Some organizations may have portions of their networks or endpoints instrumented for collection, but not others.  But what if the breach occurs in an area of the network or on an endpoint that is not included in the area of visibility?  In those cases, unfortunately, data that is relevant to the breach investigation will not be available for forensics and analysis.

·         Retention: Another important dimension to consider is that of retention.  In the absence of an infinite volume of storage, data cannot be retained forever.  Today’s organizations generate incredible amounts of data from their collection efforts.  Sometimes, the network and endpoints are properly instrumented in the appropriate places, but there is simply nowhere to put the volume of data that is generated.  As the volume of data grows, either the retention period shrinks, or the storage capacity grows to compensate.  It is not uncommon for the retention period to fall to 30 days, or even less.  With mean-time-to-detection at a staggering 229 days, it is easy to see that 30, 60, or even 90 days of retention is simply inadequate when it comes time to perform forensics and analysis.  Although the relevant data for the investigation may have existed at one time, if it isn’t present when we perform our investigation, it doesn’t help us much.  This necessitates us getting a bit smarter about what data we retain.  Our goal should be data that provides us maximum visibility into the network and endpoints, but at the minimal volume.  Perhaps it sounds a bit radical to say, but the days of “collect everything” are gone – instead we find ourselves in an era of “collect the most relevant things”.

·         Analysis: Even if our collection, visibility, and retention are squared away, we may still encounter frustrations and limitations when performing incident response.  Although we may have the data we need over the time period we need it for, we still need to be able to analyze it.  If we are unable to extract the data rapidly from our forensic collection platforms, we will be unable to analyze it.  Simply put, what goes in must come out.  For example, say we need to search for the first appearance of a given Indicator of Compromise (IOC) over the entirety of our retention period.  For this example, let’s assume our retention period is on the order of 12 months.  If that query fails before completing or takes days to complete, it is of no value to incident response.  Incident response demands answers in seconds or minutes, rather than hours or days.

Despite the steady stream of bad news regarding data breaches, there is some good news.  By taking proactive steps, organizations can prepare themselves to perform rapid and efficient incident response when they become the victim of a breach.  Among many details, it’s important for an organization to consider the points above when assessing its breach preparedness.

Source : fireeye.com