Operational Forensics and Visibility: It's About Time

Mar 08, 2016 | by RSA

The information security community is well aware of the current state of play between attackers and defenders. Attackers are quick to gain access to enterprise systems and quick to start getting enterprise data out, whereas defenders have been painfully slow to detect threats, then respond and recover.

The fact-based analysis and insights that are now being shared, such as those in the annual Verizon Data Breach Investigation Report, have helped everyone better understand the timeline of security breaches. In turn, this information has started to influence a number of factors in threat response, such as the use of operational forensics and the definition of risk.

Organizations once viewed operational forensics as merely a way to collect evidence after an attack. However, companies have started to see these tools as a way to determine the root cause for a data compromise and create a faster, more effective response. Companies can leverage the visibility and intelligence into what's happening throughout the IT infrastructure in combination with security analytics, thereby creating new defense capabilities.

The way companies think about the risks of a security breach is also changing. Organizations need to look at the technical details of how an exploit happened and the likelihood and business impact of a successful exploit. This is actually the proper definition of risk used by decision-makers who are tasked with determining acceptable levels of risk.

Understanding the Timeline of Attackers

In simple terms, understanding an attacker's timeline sets the bar for the performance of defenders. Consider the following chart, which reflects a Monte Carlo model based on the attacker timelines previously published in the Verizon Data Breach Investigation Report.

Expressed in terms of risk, there is a 10 percent likelihood attackers will take less than one day to gain access and begin data exfiltration and a 90 percent likelihood they will take less than 224 days to gain access and begin data exfiltration. The median likelihood for how long it takes attackers to gain access and begin data exfiltration is about 48 days, and about two-thirds (65 percent) of successful data breaches begin data exfiltration in 90 days or less.

When defender performance, including the time to detect and contain an attack, is to the right of this curve, the organization has the opportunity to decrease the magnitude of the business impact of a data breach that has occurred. When defender performance is to the left of this curve, they need to work on reducing the likelihood of a data breach occurring.

Applying Timeline Insights

Security practitioners have a growing understanding and acceptance of the fact that strategies based exclusively on prevention will leave their organization at risk. At the same time, a better understanding of the risks of a data breach in terms of time may also lead to a reevaluation of prevention strategies.

For example, consider that a high percentage of data breaches involve the compromise or misuse of privileged access. It stands to reason that if credentials for privileged access are actively managed and kept to the left of the attacker's curve, it will have a large effect on disrupting the attacker lifecycle. Lax practices in managing privileged access leave the window of vulnerability for data breaches wide open.

This is a good illustration of one way better visibility and operational forensics can lead to a more effective response and a good case study into how response can point to needed improvements in specific practices and controls.

Author: RSA

Category: RSA Fundamentals

Keywords: Operational Forensics, Verizon Data Breach Report, Visibility