Rein in Risk with Threat Hunting and Incident Response

By Ryan Bechtloff and Danny Akacki

What is the one thing that management and security practitioners alike can agree on? A security posture is based on risk. The finer details are always up for debate and analysis. What is our risk appetite? How much risk do we need to avoid and how much are we willing to accept? How do we mitigate the rest? Every organization regardless of size carries some weight of security risk.

Management and practitioners are both tasked with answering all the questions posed by risk in the hopes that dedicating time and manpower to the problem will positively affect their bottom line. We need to deal with risk even in the face of limited budgets, limited headcount, all while trying to improve our risk posture. In this article we’ll discuss the pieces in our chess game of risk, what they do, how they move and how to always control the center of the board.

Incident Response as a Risk Mitigation Tool

Whether we like it not, security incidents happen; it’s not a matter of “if” but “when” and what is the impact of the security incident. A mature incident response (IR) capability can help reduce the risk to the organization by finding attackers and eliminating them from the network as quickly as possible.

Regardless if the attacker has been in your environment for five minutes or five years, you can never know the true scope of an intrusion until your IR team has an opportunity to do their thing. One thing is for certain — time is everything.

A rapid response by a capable incident response team can be very effective at reducing the risk to the business when security incidents do occur. With early detection followed by rapid scoping and remediation an IR team protects the company, its customers and its proprietary information, productivity through maintained system uptime, and mitigates increased risk damage to reputation and costly legal fees resulting from a security incident.

Hunting for Risk

The topic du jour of information security is Threat Hunting. As an incident response team or Security Operations Center (SOC) mitigates risk in an organization by being the reactive edge of the sword, so too does a trained and dedicated proactive threat hunting team.

A good hunt team will help to reduce risk by identifying previously unknown threats or detection gaps where threats could exist, then adjusting defenses and detections to increase the likelihood of that threat being caught quickly.

What’s more, a dedicated hunt team will help your organization learn and stay on top of your ever-changing environment. Assets change, companies grow by mergers and acquisitions, shadow IT can run rampant. Knowing your network is half the battle of defending.

Data (or Lack Thereof) at Risk

In a perfect world, both incident responders and threat hunters would have all the log data their hearts could desire. Robust endpoint, network and application data readily available for analysts to access for years after collection. Everything they could possibly need to achieve their goals.

Unfortunately, that is rarely the reality, as collecting and storing a complete log set can be prohibitively expensive for most security organizations. Gaps in visibility and incomplete data sets abound. When you can’t tell the full story of a security incident, including root cause, the risk of it or something like it happening again increases dramatically.

Additionally, all data is not created equal. Global companies have global problems, including complex international laws on data exports, privacy control on that data, and data housing. Many organizations now run their critical infrastructure in one or more cloud platforms. Often cloud platforms provide more security than some on-premises layouts but we still need tools to help us see what we’re missing.

Tools to Mitigate Risk

This complex state of an enterprise network usually means defenders are working with numerous tools that each show a piece of a complex puzzle. This can cause a substantial gap in fully understanding the risk scope of an organization. Moreover, security analysts and engineers can spend a substantial portion of their time trying to keep up with and maintain the large number of tools available to them.

Enter Gigamon. Gigamon has a suite of solutions that can provide pervasive visibility across the entire connected ecosystem. The GigaSECURE® Security Deliver Platform, combined with the Gigamon Insight solution, simplifies the security architecture to better protect your organization by shifting the advantage away from attackers and back to the defenders. Gigamon Insight is a cloud-based network detection and response (NDR) solution purpose built to provide visibility and real-time access to raw and contextualized data when it’s needed most.

We have network sensors that inspect packets and pull out security-relevant metadata which is centralized in our datacenter, where the data is enriched with contextual security information. As part of the offering, each account is assigned a named technical account manager to ensure customers are successful at using the Insight solution to achieve their security objectives. Insight is a fully managed SaaS-based solution, so security teams don’t have to worry about managing sensor or backend infrastructure, enabling those teams to focus instead on reducing risk to the organization.

Risk is everywhere. It’s the cost of running a successful business. How you mitigate and manage that risk is the difference between flourishing and becoming another newspaper headline. You need data. You need a place to put your data so your analysts can work with it. You need trained incident response and threat hunting teams to massage that data and form a solid security posture in your environment. You want all of this without jumping through a thousand tools to do it. The GigaSECURE Security Platform with Gigamon Insight can help you get there.