Bali Kuchipudi

Security Investigations With Certainty

Blog Post created by Bali Kuchipudi Employee on Dec 12, 2014

There is a lot of uncertainty these days and back in my college days in my Quantum Physics class, the Heisenberg Uncertainty Principle took the prize for uncertainty.    Heisenberg Uncertainty Principle states that you can never simultaneously know the exact position and the exact speed of an object.

 

104002Security operations team could put the Heisenberg Uncertainty Principle to shame by using a combination of intelligence and context during security investigations.

 

Think of it this way, when an incident occurs, the security operations team needs to take a holistic approach when investigating threats.   By using a combination of intelligence and context, the security operations team can effectively detect, investigate, respond and remediate security threats.    Let’s see how this plays out during the investigation process:

 

  • Visibility - An event happens; the team has visibility to see attacker’s every move and be able to reconstruct the event. How did the attacker infiltrate our environment, what other systems did they access, did they install malware, have they opened up a backdoor for future attacks?

 

  • Business Context - Prioritize with business context; the team should always prioritize the events that affect the critical assets of the organization. There are a lot of events but if you are able to quickly identify and prioritize events that affect the critical assets, you can minimize the risk impact to your organization.

 

  • Vulnerability Information -  If an incident happens due to an existing vulnerability, let’s prevent that incident from happening again by addressing the vulnerability.  It is important for the security analyst to quickly take an incident, see the affected asset, the criticality of that asset and see if any vulnerabilities exist.

 

  • Identity Context - Is the access appropriate? It is important for the security operations team to have a view into asset access entitlements, user entitlements and roles.  If an incident happened due to an orphaned account, it is important to close those attack surfaces to prevent future attacks.

 

  • Threat Intelligence – Are there threats that are targeting companies in my region or vertical? If so, can I leverage what other companies have done to detect these threats and respond effectively.

 

When I talk to customers building out their incident response teams, I always mention VISIBILITY, ANALYSIS and ACTION. The ability to leverage advancements in technology and big data analytics as well as a combination of intelligence and context to better detect, investigate and respond to security incidents.

 

Uncertainty NO-MORE — Certainty YES during the security investigation process.    Let’s limit the Uncertainty Principle to Quantum Physics.

Outcomes