Special Report
How Collaboration Can Optimize Security Operations The new secret weapon against advanced threats
Contents Executive Summary
3
Advanced Threat and Incident Management: Ripe for Collaboration 4 It Starts with People 4 Remote Control and Automation Improve Processes 7 Siloed Security Tools Extend the Opportunity for Collaboration 10 Spending Plans May Increase Operational Complexity 11 Measuring Results 11 Doing the Detective Work 12 Conclusion: Key Takeaways
14
Executive Summary
8 days (64 hours) is the average investigation length.
38% to 100% boost in effectiveness with collaboration.
1 in 5 companies
The secret to advanced threat preparedness may actually lie within your organization—your current people, processes, and technologies. A recent Intel Security survey of 565 security decision-makers worldwide points to an untapped opportunity: harnessing the power of collaboration to improve preparedness and overcome the cybersecurity skills shortage. Enterprises are coming to the realization that a fragmented or compartmentalized security operations design is ineffective against today’s advanced security threats. The exponential increase in threat counts and complexity adds to the already heavy burden on security operations and IT. On average, we discovered that it takes eight working days, or 64 hours, to complete a security investigation, from detection to a return to health. Security operations teams use an average of four tools to get the job done. In addition, companies who have deployed advanced threat and incident management solutions perform twice as many investigations as companies without these systems. They can detect more attacks themselves, so they have more work to do to investigate and remediate than those without the extra visibility.
juggle 6 to 15 tools to resolve incidents.
While companies continue to invest in prevention, detection, and analysis tools, our survey revealed they also want to invest in collaboration. Organizations believe they can become 38% to 100% more effective if their threat management and incident response personnel can collaborate better.
2× the increase
This finding shows they are ready to think beyond the traditional collection of siloed products that don’t communicate or share data. They are seeing the value in an open, integrated ecosystem that coordinates security operations with the objective of optimizing protect, detect, and correct processes. Essentially, when you have different teams working on incident detection and response, as well as the inevitable surge in ad hoc personnel, the right collaborative technologies can significantly improve the effectiveness and accuracy of the human factor. This collaboration could take the form of workflows and data sharing among people— formerly siloed IT and security teams—as well as integration and automation of controls, policies, and processes to improve operational efficiency.
in investigations when you have advanced threat management tools.
How Collaboration Can Optimize Security Operations | 3
Advanced Threat and Incident Management: Ripe for Collaboration What is ATIM? ATIM refers to the ability to remotely detect, assess, and contain an incident by investigating system changes (execution activity, file changes); scoping the incident’s effects; and restoring endpoints to their pre-infection state.
As enterprises start to reshape the way they approach security in order to meet the challenge of advanced threats, they are looking to improve detection and response and other aspects of the threat defense lifecycle. In our research, we asked participants about their approach to “advanced threat and incident management (ATIM),” a term we chose that focuses on actual security operation processes rather than arbitrary product categories. In general terms, an ATIM embraces advanced endpoint detection, analysis, incident response, and remediation features used in security operations.
It Starts with People When it comes to threat management and incident response, there are multiple parties involved. The security department, which includes the CISO, security architects, security engineers, and incident responders, is ultimately responsible for overseeing and managing the entire process, but many other players, like endpoint and network administrators and other corporate departments, contribute to performing specific tasks and finalizing an investigation.
“Even if our current efforts to encourage an increase in security training and enrollment in appropriate university programs work out, it will take more than four years for this new talent pool to begin having an impact on staffing threat operations teams. Moreover, threat actors are not going to back off until then, and will continue to innovate and evolve their tactics, techniques, and procedures.” Torry Campbell, Chief Technology Officer, Emerging Technologies, Intel Security
Threat management contributions are almost evenly spread among different roles, but there are some notable areas of specialization. Every handoff or transition can add significant operational overhead—along with the potential for confusion and chaos and delays in responding. But, on the upside, there is also huge potential for collaboration and increased efficiencies.
Efficiency Improvement due to Centralized Collaboration 0–25
26–50
51–75
76–100
45%
30%
15%
11%
Source: darkreading.com
Average 38%
More than 1 in 10 thought their team could be 100% more effective.
Figure 1. “Centralized collaboration between SOC analysts, incident responders, and endpoint administrators can help improve the effectiveness of incident response in my organization by ___%”
How Collaboration Can Optimize Security Operations | 4
Large enterprises believe that increased collaboration will lead to a
76% to 100% improvement in incident response.
“When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify and stigmatize any inefficiency in the IR process, impacting the organization’s ability to minimize damage and downtime. When we train our customers’ incident response teams, 90% of our efforts go to stronger interlock and collaboration between key stakeholders.”
Survey respondents predicted an average of 38% improvement in effectiveness as a result of centralized collaboration. This involves data and process integration that orchestrates multiple technical teams responsible for defending corporate assets: SOC teams, incident response teams, and endpoint and network administrators. Expected improvement is highest in the US (44%) and France (43%) and lowest in Germany (18%). As compared to commercial companies (1,000 to 5,000 employees), a significantly higher percentage of large enterprises (5,000+ employees) believe that increased collaboration among these three groups will lead to a 76% to 100% improvement in incident response. The more people involved, the more benefits derived from collaboration. As Figure 2 indicates, most enterprises have eight different roles that share varying levels of responsibility across the threat defense lifecycle, which encompasses prevention, detection, triage, analysis, containment, and remediation. Often there is quite a bit of overlap, and roles are not always clear-cut. Organizations need to offer a centralized environment where each contributor can access, assess, and act within their role. For example, dashboards and reports might look different based on role, but should be easy to adapt as a role changes—either permanently or within the “multiple hats” reality of security operations. Regardless of title, most people contribute in many different ways when an incident escalates. The two main challenges related to collaboration have to do with how well people share information and their overall level of trust across teams. Sharing means communicating clearly and accurately. Currently, manual methods, where data is retyped and reprocessed multiple times, increase the probability of introducing errors. However, automated and collaborative technology solutions can help ensure that the shared data is accurate and reliable. When it comes to trust, having the confidence that the work will get done or has gotten done is key. Trust arises from good communication, transparency, and accountability, all of which engender confidence in the outcome.
Ismael Valenzuela, IR/Forensics Technical Practice Manager, Foundstone® Services, Intel Security
How Collaboration Can Optimize Security Operations | 5
Primary/Equal Threat Management Responsibility Prevention
Detection
Triage
Analysis
Containment
Remediation
Security Engineer/Architect (CISO office)
53%
48%
48%
45%
48%
45%
1
1
1
1
1
1
Incident Responder
36%
29%
24%
24%
22%
22%
2
3
33%
36%
33%
36%
27%
26%
3
2
2
2
Network Administrator/ Engineer
25%
27%
27%
27%
31%
35%
3
3
2
2
Endpoint Administrator
21%
26%
25%
28%
23%
Top Takeaways: ■■
■■
■■
The CISO Office’s engineers and architects have the dominant responsibility end to end. Operational roles are critical for containment and remediation. SOC analysts and incident responders play a major role in prevention, not just analysis and closing cases.
SOC Analyst
22%
3
3
Figure 2. Who in your organization has primary/equal responsibility for each of these threat management scenarios?
Let’s take a closer look at the top three incident management roles and responsibilities. Our research shows that at most enterprises, the lion’s share of responsibility across the entire threat management spectrum falls on the shoulders of security engineers and architects within the CISO function. These roles function both architecturally and tactically. They work at a strategic, holistic level to find the best tools and techniques for every step of the security operations process with an eye toward achieving the best possible outcomes. On a tactical level, they operate in reactive mode when threats strike and also continually monitor the infrastructure for suspicious events. The second most significant contributor, the SOC analyst, is active in detection, triage, and analysis but often hands off containment and remediation responsibilities to administrative roles, especially network and endpoint administrators. This may involve reimaging systems, applying patches and security updates, and other post-infection clean-up activities. This handoff is often necessary in larger organizations, where IT administrators have a better handle on business requirements and asset usage. IT can work closely with the SOC team when an incident arises to determine the best course of action— one that rapidly and effectively addresses a high-severity threat with minimal disruption to business services. This is especially important when it comes to customer-facing e-commerce services or other mission-critical operations.
How Collaboration Can Optimize Security Operations | 6
Like SOC analysts, incident responders can contribute to all parts of threat management but are most deeply involved with detection and prevention. After they discover the nature and trajectory of the threat and inform the SOC team about their findings, they are also tasked with adjusting the security posture. Their job is to prevent recurrences through updated policies or countermeasures and to inform security architects about their findings so that decisions can be made about how to address areas of concern and even consider future security investments. Increasing the trust and transparency among interdepartmental teams can go a long way toward ensuring that these functional entities work together well. Teamwork will help them resolve security issues more quickly, and there will be less chance of the problem getting worse due to a lack of coordination. Rapid response will also reduce the chance of new problems arising. Additionally, in this environment of perpetual cyberwarfare, organizations will probably never have too many resources to combat the onslaught of new attacks. We will always need to maximize the resources we do have available and then work together to eradicate or terminate the attacks that get on our radar. Because there are so many participants, certain common processes—like having an accepted definition of a security incident, assigning severity levels, sharing data, and iterative communications along the way to keep everyone informed—can help prioritize incidents, focus everyone’s efforts, and maximize efficiency.
Remote Control and Automation Improve Processes “Centralized tools simplify access to and implementation of the right correction. Specifically, centralized tools help more people, including surge resources, get involved in and accurately follow remediation workflows. Automation further improves results. SIEM [security information and event management], EDR [endpoint detection and response], and unified policy management systems are all beneficial ways to centralize hunting for incidents and automate approved remediation actions.”¹
To facilitate collaboration, many respondents want the ability to conduct certain processes remotely and to automate tasks. Remote containment, mitigation, and remediation are highly valued as part of rapid response across the board, among all geographies. The top actions that support the security analyst in the SOC doing containment and investigation are network isolation, kill processes, and malware sandbox submissions. Other remote actions are part of rapid remediation by the incident responder or staff involved with operations: restoration of compromised files, system shutdown or reboot, deletion of backdoor accounts, uninstalling software, deletion of files, and clearing browser caches. With a centralized and collaborative system in place, team members are empowered to handle security issues, regardless of where they are physically. When data needs to be investigated within the security operations team but handed off to endpoint and network operations, the shared data sets, commands, and alerts promote accuracy and consistency.
Torry Campbell, Chief Technology Officer, Emerging Technologies, Intel Security
How Collaboration Can Optimize Security Operations | 7
Importance of Performing Actions Remotely—Top Ten Actions
Network isolation
74%
Kill process
71%
Malware sandbox submission
71%
Restore a compromised file
70%
Shutdown or Reboot System
70%
Delete backdoor account
68%
Uninstall Software
68%
Stop/Start a Windows Service
67%
Delete file Clear browser cache/cookies
66% 65%
64%
66%
68%
70%
72%
74%
Figure 3. From an incident response perspective, how important is it for your organization to have the ability to perform each of the following operations remotely?
Flexibility remains important, since security operations teams see their efforts as both an art and a science. This is where detection and response tools that allow for customizable reactions can come into play. Respondents wanted the capabilities suggested in the question, and one in five also added ideas of their own, such as disabling ports and evaluation of windows event logs. Tools that provide this degree of agility and adaptability will best support today’s incident response challenges. Remote response is not the same as automated response, although respondents are definitely showing more willingness to automate than in previous surveys. According to our research data, in security operations, enterprises are increasingly comfortable with total automation of certain routine tasks, notably clearing the browser cache/cookies, submitting malware to a sandbox, starting and stopping a Microsoft Windows service, and network isolation. Companies also willingly embrace a “semi-automated” approach—where tasks are scripted but managed by assigned individuals. The movement away from manual execution of certain basic tasks contributes greatly to overall efficiency and forms the foundation for increased collaboration.
How Collaboration Can Optimize Security Operations | 8
Level of Permissible Automation
“When you want to automate processes, start with the most mundane: the routine tasks that operators normally spend an enormous amount of time on. The key to successfully implementing automation is creating a process and a workflow and then trusting what you have created. And you must continuously improve these. Ultimately that’s what it means to build an adaptive security architecture—the ability to learn and change as you go along.” Brett Kelsey, Vice President and Chief Technology Officer for the Americas, Intel Security
Clear browser cache/cookies Malware sandbox submission Stop/Start a Windows Service Network isolation
Kill process
Shutdown or Reboot System Copy a file to an external repository Restore a compromised file Delete backdoor account Cross-product orchestration
0
10% Automation
20%
30%
Semi-automation
40%
50%
60%
Manually
Sorted based on top automated actions
Figure 4. How much automation would your organization permit for each of these functions?
Another possible point of collaboration is engagement with third-party cybersecurity consultants. These specialists can study the security event, help enable quicker recovery from the incident, and help strategize on control, policy, and process changes to prevent future incidents. Interestingly, our survey shows that the current reliance on outside expertise is minimal. We also discovered that smaller companies plan to use these services much more than larger enterprises.
How Collaboration Can Optimize Security Operations | 9
Siloed Security Tools Extend the Opportunity for Collaboration Perhaps one of the underlying reasons driving the opportunity for collaboration is siloed security tools. The organizations participating in our survey, on average, use four different products to investigate and close out an incident. Some companies use even more—as many as 20% of companies indicate they use between six to 15 products to accomplish this activity. Obviously, this finding underscores the operational complexity of a siloed, multivendor approach to security and implies that the use of multiple management and investigation consoles may slow down results. Also, data is often transferred manually between tools, which could increase the chances of error or misinterpretation. This in turn, may lead to several consquences: the entire incident response process might have to be reworked, or, if the process is not properly vetted, things can slip through the cracks, which could result in threats not being properly dealt with.
Number of Products Used to Investigate and Close an Incident
20% The average number of tools used was 4.
20% of companies used more than 6—as many as 15.
Figure 5. Number of products used to investigate and close an incident.
How Collaboration Can Optimize Security Operations | 10
Spending Plans May Increase Operational Complexity Despite the potential efficiency benefits, collaboration was in a tie for third place when security professionals were asked about their top priorities for enhancing their organization’s preparedness against advanced security threats. The top two planned investments were in detection and prevention tools. However, these investments don’t have to be in conflict. An open ecosystem should facilitate the use of the right—and the latest—tools while improving collaboration. From simple cross-tool scripting and remote commands to tight bidirectional integration through application programming interfaces (APIs), there are many ways for the tools themselves to support collaboration. Collaboration could include process or workflow improvements to connect the six threat management tasks and the eight roles above. It could also involve sharing of local threat intelligence across the entire security infrastructure.
Top Security Investment Priorities to Enhance Preparedness Against Advanced Threats “One of our key initiatives for advancing SOC effectiveness is enriching alert output with endpoint forensics and threat Intelligence via automated analyst playbook and scripts. This not only improves the quality of our alerts, it also boosts overall SOC effectiveness by increasing the number of incidents handled per responder and reducing the time it takes to bring the environment back to a ‘good known state.’ Consequently, these integration efforts are part of our weekly metrics and are closely monitored by our executive sponsors.” Tony Saint, IT Security Operations Director, Intel
People ■■
■■
28% more IT security staff. 25% more training.
Process ■■
■■
■■
■■
32% improve collaboration to enhance preparedness against advanced security threats. 32% improve visibility and prioritization of relevant threats and vulnerabilities. 28% automate processes to free up staff for other securityrelated duties. 22% improve integration with third-party incident response services.
Technology ■■
■■
■■
■■
40% better detection tools. 33% prevention tools. 32% better utilization of threat intelligence. 30% better analysis tools.
Figure 6. How would you prioritize investments to enhance your organization’s preparedness against advanced security threats?
Measuring Results We also captured details on how companies are assessing their efforts and investments. The top three metrics used to evaluate effectiveness of security operations after ATIM deployment involve time—a metric that can be improved through collaboration: time from detection to containment, time to discovery/ detection, and time from containment to remediation.
How Collaboration Can Optimize Security Operations | 11
Time Spent on ATIM Activities Time to detect (average 20 hours)
Time to contain (average 19 hours)
11%
“Tougher new EU data privacy regulations, which are currently in the process of being modernized, will be implemented in 2017. Organizations will be legally required to implement a security architecture that ensures a secure and trustworthy digital exchange of data throughout the EU. Data privacy needs to be assured at every level and across the entire infrastructure. In light of that, improved incident investigation and response processes that bring together collaborative tools and teams are imperative.” Raj Samani, Chief Technology Officer, EMEA, Intel Security
Time to remediate (average 24 hours)
14%
11%
23%
28%
27%
18%
21%
23%
<=1 hour
10–20 hours
19% 19%
21%
25%
1–5 hours
15%
26%
5–10 hours
>20 hours
Figure 7. On average, how much time did it take for your organization to do each of these activities?
Doing the Detective Work On average, we discovered that it takes eight working days, or 64 hours, for a security investigation—from detection to a return to health. This block of time is nearly equally split among detection, containment, and remediation, with remediation taking slightly longer than the other two activities. Germany was found to be more efficient at detection, spending an average of five to 10 hours, while, for other countries, detection took between 10 to 20 hours.
4 out of 5 organizations have deployed ATIM or are testing one.
2 top drivers of ATIM adoption are threat assessment and reducing security impact on users.
When security incidents do occur, larger organizations with more than 5,000 employees are more apt to conduct investigations than smaller companies. A greater share (21%) of security professionals in Germany and the UK are involved in 10 or more investigations, while 20% in the US, France, and other countries conduct five to nine investigations. A possible explanation for the larger number of investigations in the UK and Germany could be the exercise of more rigorous best practices and investment in advanced tools in an effort to meet demanding data privacy compliance regulations. From our survey, more than four out of five organizations have deployed an advanced threat and incident management solution or are pilot testing one. The top two drivers for adoption of ATIM are threat assessment analysis and reduction of the impact of security on users. As companies work to improve their threat management abilities, those that deploy advanced threat and incident management tools on average perform twice as many investigations and more than half find that routine investigations take longer. Those that have deployed or are piloting ATIM solutions tend to conduct 10 security investigations on average, or double the five investigations on average per year among companies that have not implemented an ATIM.
How Collaboration Can Optimize Security Operations | 12
2 times as many investigations are conducted by companies that deploy ATIM.
10 security 365
investigations on average per year are conducted by organizations with ATIM.
Itâ&#x20AC;&#x2122;s likely that companies with ATIMs are finding more threats and taking longer because they now have the tools for more visibility. They see more and have more data to work with. Better detection and deeper visibility into malware capabilities, network traffic, database activity, and endpoint state will also help you understand what actions you need to take to contain and remediate the new incidents you are investigating. However, having more tools doesnâ&#x20AC;&#x2122;t necessarily mean slower results. Almost half of the companies surveyed that are deploying ATIM achieve faster time to discovery/detection, faster time from detection to containment, and faster time from containment to remediation. These are the success stories. The half that is not seeing improvement may have two storylines. As previously noted, they are gaining more insights and are likely performing more detailed, lengthy investigations. Additionally, their tools may not have been deployed to fully take advantage of workflow, alerting, and scripting that are available with real-time security operations systems designed for collaboration. Understanding both of these likely scenarios will help organizations plan and implement ATIM for greater success.
How Collaboration Can Optimize Security Operations | 13
Conclusion: Key Takeaways We all accept the reality that advanced threats—whether they originate internally or externally—are here to stay. In the face of this challenge, companies are adapting their security and “operationalizing” threat and incident management to become more effective at identifying and acting on top-priority incidents. As we have seen from our research, collaboration is vital to improving security operations. We can predict a dramatic improvement in efficiency with more collaboration and automation among security technologies and the people who operate them. In fact, we believe that the larger the organization, the higher the payoff. Collaboration can: ■■
■■
■■
Contribute to real-time visibility—connecting people, processes, and technology across events, data, and systems. Improve and guide execution through workflows, scripts, automation, and reporting that reduce the effort and error associated with complex processes involving multiple roles at a company. Offer a hidden upside opportunity, ensuring that collaboration among tools fosters collaboration among people. By better utilizing the tools you have and enabling the people who use them, you’ll be able to detect, contain, and remediate more threats faster with less organizational cost.
Collaboration is not just an abstract concept, it’s a practical and necessary “secret weapon” in your defense against today’s advanced threats.
How Collaboration Can Optimize Security Operations | 14
About Intel Security Survey Objectives and Methodology The goal of our research was to gain a perspective on the level of preparedness of organizations across the globe in the face of advanced threats. Researchers interviewed 565 participants from North America, the UK, the Asia Pacific region, Germany, and France.
McAfee is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence, Intel Security is intensely focused on developing proactive, proven security solutions and services that protect systems, networks, and mobile devices for business and personal use around the world. Intel Security combines the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. Intel Security’s mission is to give everyone the confidence to live and work safely and securely in the digital world. www.intelsecurity.com
This population comprised endpoint security administrators, network administrators, key security operations personnel (including CISOs and architects), and individuals on the ground floor at security operations centers (SOCs) and incident responders. Two types of companies were included—commercial organizations with 1,000 to 5,000 employees and enterprises with more than 5,000 employees.
1 https://blogs.mcafee.com/executive-perspectives/survey-says-incident-response-fighting-back/
McAfee. Part of Intel Security. 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.intelsecurity.com
The information in this document is provided only for educational purposes and for the convenience of Intel Security customers. The information contained herein is subject to change without notice, and is provided “as is,” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. Copyright © 2016 Intel Corporation. 62358rpt_inci-mgmt_0416_PAIR