Enterprises Need A Panic Button for Security Breaches
Most home security systems have a panic button - if you hear something go bump in the night you can push a panic button to starts the sirens wailing, call the cops and hopefully sends the bad guys scurrying. As useful as this is for home owners, enterprises need a security panic button even more.
Maybe a good analogy is that a silent burglar alarm is only useful if it automatically calls the cops. Enterprise security that doesn't automatically invoke some sort of thoughtful response to an attack is guaranteeing that the company will respond in an ad hoc and sub-optimal fashion to any security breaches it does detect.
Security spending is heavily weighted towards keeping bad guys out. Media coverage has demonstrated how often they get in anyway. So far, there is relatively little automation focused on what to do when you find the bad guys have gotten in.
According to the CyberEdge Group, 71% of large enterprises reported at least 1 successful hacking attack in 2014. Sometimes this will be as a result of intrusion detection or some other internal security mechanism. Sometimes this will be as a result of an external site reporting a hack - many of the big hacks are first reported by external sources!
While there is extensive advice around the manual steps to take to respond to a malicious attack, there is little in the way of an automated response to an attack. This is important area to extend enterprise automation.
What might a Panic Button for automated response to security incidents look like? Essentially this would be an automated workflow that would implement a set of tasks to eliminate the current attack, identify existing losses and minimize future damage. An example workflow could include:
- Identify compromised systems from intrusion detection tools and disconnect compromised systems from network
- Search for unauthorized processes or applications currently running or set to run on startup and remediate
- Run file integrity checks and restore files to last known good state
- Examine authentication system for unauthorized entries/changes and role back suspect changes
- Make backup copies of breached systems for forensic analysis
- Identify information stolen from OS and database logs
In fact, companies should have automated responses prepared for a number of different scenarios. There is no a one size fits all automation solution that addresses every type of attack.
By creating automated “Panic Button” workflows that respond to security incidents, enterprises can reduce the damage of an attack. This automated approach can also show customers that an enterprise is taking full precautions to protect their personal information from falling into the wrong hands.
Good post! However security management at enterprise level, proactive and reactive, requires whole new innovative approach. There are many challenges especially for organically grown large organizations. If there are weaknesses in data classification or fire walled systems (just to name few), panic button or security systems will not be effective. Multi-level re-architecture at be prerequisite Anyways Panic button or kill switch is always nice to have
Great post. Given the number of breaches and amount of sensitive information in play, a reaction plan including PR crisis management should in in place everywhere.
According to Gartner, “By 2019, 40% of large enterprises will require specialized, automated tools to meet regulatory obligations in the event of a serious information security incident.” Since the vast majority of Security Operations Centers (SOC) today investigate security incidents manually, this forecast heralds significant changes ahead for how enterprises deal with breaches to their IT environments. Manual responses are no longer sufficient to keep pace with the rising volume and variety of cyber security attacks. These attacks are generating a geometric increase in security alerts, which must be sifted through to differentiate real threats from false positives, before taking proper counter measures. Expecting human operators to effectively defend against this digital onslaught with manual procedures is neither prudent nor realistic. When looking for an OOTB security automation solution, consider a tool that requires no programming skills, and has broad integration capabilities with other security systems, network monitoring systems, and ITSM platforms. Ayehu's eyeShare is one such option: http://ayehu.com/solutions/security-operations-center-soc/
Interesting post. So if your currently implemented platforms, analytics, and security practices didn't detect the compromise before you hit the panic button, hitting the panic button does what function for these platforms? Shouldn't every item you listed as part of a reactive button, be something all your defensive systems were doing proactively, ongoingly and in real-time?