The Importance of Speed in Incident Response


 

By RedSeal Federal CTO Wayne Lloyd

Have you seen CrowdStrike’s “Global Threat Report: Adversary Tradecraft and The Importance of Speed”?

Just released at RSA Conference 2019 this year, the key takeaway is that nation states and criminal organizations are increasing both the speed and sophistication of their cyber tactics. This isn’t a surprise, but the report presents more detail on just how little time we have.

CrowdStrike defines “breakout time” as “the window of time from when an adversary first compromises an endpoint machine, to when they begin moving laterally across your network.”

The report shows a more granular examination of breakout time by clocking the increasing average speed of major nation state actors, including the breakout speeds of Russia, China, North Korea, Iran, and others.

So what can you do?

According to the report, basic hygiene is still the most important first step in defending against these adversaries — including user awareness, vulnerability and patch management and multi-factor authentication.

The CrowdStrike report continues:

With breakout time measured in hours, CrowdStrike recommends that organizations pursue the ‘1-10-60 rule’ in order to effectively combat sophisticated cyberthreats:

  • Detect intrusions in under one minute
  • Perform a full investigation in under 10 minutes
  • Eradicate the adversary from the environment in under 60 minutes

Organizations that meet this 1-10-60 benchmark are much more likely to eradicate the adversary before the attack spreads out from its initial entry point, minimizing impact and further escalation. Meeting this challenge requires investment in deep visibility, as well as automated analysis and remediation tools across the enterprise, reducing friction and enabling responders to understand threats and take fast, decisive action.

RedSeal and the 1-10-60 Benchmark

A RedSeal model of your network – across on-premise, cloud and virtual environments — gives you the detail you need to quickly accelerate network incident investigation. You’ll be able to quickly locate a compromised device, determine which assets bad actors can reach from there – and get information to stop them. Since RedSeal’s model includes all possible access paths, you’ll see specific paths the network attacker could take to valuable assets. And, you’ll get specific containment options so you can decide what action to take — from increasing monitoring, to placing honey pots, to changing firewall rules, to simply unplugging the device — decreasing your network incident response time.

Network security incident response that used to take hours, if not days, to determine becomes available immediately.

Click here to learn more about RedSeal’s support of incident response teams and how it will improve your agency’s digital resilience.