08 Sep Equifax reminds us: If breach response was easy, machines would do it
by John Jolly, Syncurity President and CEO
Why did it take so long to:
– Discover the breach? (Mid-May – July 29)
– Validate the breach? (July 29 – Aug 8)
– Communicate the breach publicly? (Aug 8 – Sep 8)
In the wake of one of history’s largest reported data breaches at Equifax, many voices will claim the attack is proof that more sophisticated prevention and detection technologies (e.g., “machine learning”) are urgently needed in cybersecurity.
Yet, financial services firms like Equifax are already awash in cutting-edge security technology and resources. If institutions like these can fall victim, what’s to stop attacks on Equifax’s peers, let alone smaller sensitive organizations in retail, healthcare or manufacturing? The truth is that “more technology,” alone is not the answer. It is tempting to think the window of compromise in Equifax’s breach timeline – between when the break-in occurred and when it was noticed – can be eliminated with some sort of “automated” defense that does things faster than humans can. Yet, this is a knee-jerk response that overlooks realities of incident response.
The answer is not software that processes all the alerts from the IT and security infrastructures, and then automatically responds based on pre-defined criteria. If it was possible to programmatically identify and stop these breaches, machines would already be doing it. Instead, it requires humans with knowledge of businesses’ IT assets, infrastructures and context to determine what’s actually happening – and what to do about it.
Before and during breaches, there are three key phases where machines can enhance human decision-making, but cannot replace people:
Phase 1 – Alert Triage
Triage is the process of evaluating potentially suspicious alerts/activity for further analysis to determine if a breach is occurring. The digital fingerprints of the Equifax breach were apparently first seen in mid-May, but not recognized as a breach for over two months. It is questionable whether a “lights-out,” fully automated version of this triage process would have caught a breach significantly earlier. Instead, automation must be used to expedite visibility to aid the human determination of “what’s happening.”
To do so, what’s needed is a technology platform to more quickly:
- Highlight the events which pose the most potential risk
- Gather all the necessary related data and context in support of the investigation
- Pivot across multiple disparate data sources for validation
- Enable human analysts to determine, then declare, that there’s a breach
The key is to quickly cut the alert “dwell time,” which is the time between when the warning signs of a potential breach are generated as alerts from the IT and security infrastructure, to the time a firm realizes there’s a breach, which in the Equifax case was the two-plus months.
Phase 2 – Investigation
The next question to ask is, “Why can’t machines more quickly investigate and validate a breach?” or “Why did it take almost two weeks to confirm what happened at Equifax?” Again, once triage determines that there’s an incident, the investigation process, much like police sleuthing at a crime scene, is not so predictable, or programmatic, that it can be easily codified in software or emulated using AI. Instead, human investigators need a platform from which they can view evidence and pull all the various threads they might need to pursue, while having their team’s work captured in a consolidated digital case file, which includes all the alert triage data and analysis that led to their original determinations. This then enables them to quickly pivot to the actions needed to stop (contain) a breach and recover (remediate).
Phase 3 – Response
We are sure to hear “Why can’t machines handle all the response, notification and reporting requirements for a breach?” Again, the scope and complexity of these events are such that it is not practical to expect an AI-powered easy button. A more practical path for companies is to catalogue the workflow of steps required in each situation and track progress of those steps. These steps vary based on the nuances of the event, the potential risk, and a firm’s preferred response
approach, and often may require deviation from the pre-drafted plan.
While workflows can – and should – be consistently and clearly structured from a process perspective, the actions needed to contain and remediate an incident typically require human approval. Firms need a platform that facilitates the workflows with automation and integrates the required human decision-making/approvals.
All of these questions point to the need for firms of all sizes, and in all industries, to examine their Security Operations capabilities, and how determine how well they enable their human analysts to:
- Quickly identify potentially high-risk alerts from their environment, cutting alert dwell time
- Execute investigation processes by putting the resources needed at the analyst’s fingertips vs. jumping from system to system, reducing validation time
- Execute Incident Response playbooks that orchestrate people, process and technology faster to compress time-to-containment and time-to-remediation
- Generate all the needed detailed end-to-end reporting required within the prescribed regulatory timelines
Learn more about Syncurity and download our new ebook
To learn more about how Security Operations software platforms can help accelerate and scale these triage, investigative, and response steps in support of human decision-making, download the ebook, “Stop Drowning in Security Alerts,” check out Syncurity content on Peerlyst, or visit us at www.syncurity.net. Share your take on lessons from Equifax with us on Twitter and LinkedIn.