sb-eu logo
Story image

Expert insights: Why visibility and forensics matter in cybersecurity

13 Dec 2017

Article by 
David Shefter, chief technology officer at Ziften Technologies

You can’t fight what you can’t see, and you can’t find the root cause of problems if the data isn’t available.

In the fight against Advanced Persistent Threats (ATPs), ranging from ransomware to malware and other destructive attacks, enterprises need a heightened ability to detect, view and investigate using forensics. What’s more, they need to quickly respond to advanced hacks and attacks on the most popular operating systems, be it mobile, desktop, cloud, virtual machines — or containers and microservices.

Visibility must reach far and wide. Today the cloud has become a major attack vector. According to Microsoft’s latest research, the security intelligence report (SIR), there has been an upsurge of 300% on cloud account attacks from 2016 to 2017.

Considering the widening scope of cyber threats, security operations staff, whether they’re part of a CISO organisation or embedded within IT, will benefit from using a comprehensive systems and security operations platform to detect attacks and zero-day exploits, to uncover the full scope of a breach, and to quickly respond to attacks.

The 6-Point Checklist

Do your security teams have these enterprise-wise forensics capabilities?

1. Single source of truth visibility into every asset – laptops, desktops, 
servers, virtual machines, containers? 


2. Continuous, rich data collection and storage from every managed 
endpoint including systems, user behaviour, network connectivity, 
application, binary, and process data? 


3. Continuous device state and behaviour monitoring; real-time issue, 
threshold, and threat based alerting and ticketing? 


4. Actionable data from threat feeds, whether open-source or commercial? 


5. Advanced threat detection and hunting capabilities across Windows, Mac, and Linux systems, including client devices, data centre, and cloud? 


6. Capabilities for deep binary/file analysis and sandboxing of suspicious packages? 


What about Forensics?

Forensic analysis in the cybersecurity world is typically performed as part of a scheduled compliance, legal discovery, or law enforcement investigation. Forensics provide a full understanding and thorough remediation of a breach. Deep forensics data accelerates tracking attacker’s lateral movements and provides retroactive alerting on all systems that exhibit or have exhibited similar behaviours. And most importantly, forensics can identify the root cause of an issue to help close the gaps and stop future attacks across the entire environment.

The capability to conduct a six-month review of activities that have occurred on an endpoint, such as a desktop, smartphone, server, or virtual machine, is crucial to knowing what has occurred and how an attack has taken shape, and to evaluate the potential for harm to other places or users throughout the IT infrastructure. This is why security systems should store a minimum of half a year’s worth, if not more, of robust forensic data storage.

Forensic analysis is a central discipline that can leverage the same tools and related data sets as incident response management, and then go beyond it.
A thorough forensic investigation allows the remediation of all threats with the careful analysis of an entire attack chain of events. And that is no laughing matter. For this purpose, forensics research requires strong log analysis and malware analysis capabilities.

While interactions for threat containment are performed with other security and operations team members, forensic analysis typically requires interactions with a much broader set of departments, including operations, legal, HR, and compliance. This is when the attack transcends from a technology problem to a business problem, with repercussions ranging from lawsuits to a loss in reputation among stakeholders, such as investors and customers.

Conclusion

Following the storm of serious global cyber attacks in 2017, it is now widely understood just how damaging not having a well designed approach to security can be for enterprises. Only when IT departments, SecOps teams and the company as a whole take a “systematic” approach to security to incorporate visibility and forensics for prevention, along with the other critical functions of cybersecurity, can the challenge be overcome.

Story image
Proofpoint enhances security awareness training platform
Available in Q4 2020, the platform will integrate more closely with Proofpoint’s best-in-class threat intelligence.More
Story image
Bitglass receives US patent for SAML technology
Bitglass designed its SAML relay to allow a cloud access security broker (CASB) to be inserted into the traffic flow between users and cloud services during the login process.More
Story image
Emotet malware is on a rampage after months of silence
CERT agencies around the world are reporting a surge in cyber attacks related to the Emotet malware, which is being distributed by email.More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More
Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
Kaspersky releases new report on consumer’s approach to digital services
COVID-19 related restrictions and the necessity to stay indoors has influenced the way people approach digital services, making them more aware of how securely both they, and their housemates, use the internet.More