TRENDING
threats is accomplished through a
blend of search and machine analytics.
These threats must be quickly qualified
to assess the potential impact to the
business and the urgency of additional
investigation and response efforts. When
an incident is qualified, mitigations to
reduce and eventually eliminate risk to
the business must be implemented, and
once the incident has been neutralised,
full recovery efforts can commence.
How does Threat Lifecycle
Management allow enterprises to
see broadly and deeply within their
IT environments?
Before any threat can be detected,
organisations must be able to see
evidence of the attack within the IT
environment. Because threats target
all aspects of the IT infrastructure, the
more you can see, the more ably you
can detect. There are three principle
types of data that should be focused on:
security event and alarm data, log and
machine data, and forensic sensor data.
While security event and alarm data is
typically the most valuable source of
data for a security team to find evidence
of a successful attack, there can be a
challenge in rapidly identifying which
events or alarms to focus on, as tens of
thousands might be generated on a daily
basis. Log and machine data can provide
deeper visibility into an IT environment
– recording on a per-user, per-system,
per application etc. basis – to illustrate
who did what, when and where. Once an
organisation is effectively collecting this
data, forensic sensors can provide even
deeper and broader visibility.
How does Threat Lifecycle
Management respond if there is a
phishing attack occurring?
Unfortunately, phishing attacks are
incredibly common and they target the
weakest point in any organisation’s
perimeter – the employees. While
organisations can do their due diligence
by educating their employees on cyber
security best practices, they can never
be 100% sure that a phishing scam
won’t infiltrate their network. Prevention
tactics unfortunately will not always
stop an employee from clicking on a
18
INTELLIGENTCIO
dodgy link in a convincing email on
a work computer, which is where a
combined workflow of people, process
and technology is needed. With Threat
Lifecycle Management, organisations
can detect and neutralise a breach,
before data is stolen. When organisations
can see broadly and deeply across their
IT environment as well as having the
ability to quickly mitigate and recover
from security incidents, it allows them to
defend their networks from the phishing
attacks that scam their employees.
Does Threat Lifecycle Management
have the capacity to escalate the
case priority of an attack?
Yes. While most organisations have
an array of security products to
prevent a wide range of attacks from
being successful, in some cases these
technologies can only warn an attack
may be in process or has occurred. In
these cases, events and alarms are
generated and the challenge most
organisations face is rapidly identifying
which events or alarms to focus on – as
tens of thousands might be generated
on a daily basis. However, with Threat
Lifecycle Management, organisations can
have full visibility coupled with machine
analytics in order to stand a chance at
detecting and responding to threats with
the highest priority. The goal of using
machine analytics is to help organisations
realise a ‘risk-based monitoring’ strategy
through the automatic identification
and prioritisation of attacks and
threats. This is critical for both detecting
advanced threats via data science-driven
“Once an
employee is
behaving in a
way that the
system deems to
be ‘abnormal’ for
their role, or their
usual behaviour,
it will be flagged.”
approaches, as well as helping orient
precious manual analytics capabilities to
the areas of highest risk to the business.
How does Threat Lifecycle
Management determine if a user
account is accessing systems it
usually doesn’t?
The cybercriminal is not always an
anonymous hacker based miles away,
an attack often comes from within
an organisation and from its own
employees. The insider threat, either
from a disgruntled employee or an
employee that has simply made an
innocent mistake, is a very real and
difficult threat for organisations to
mitigate. However, with Threat Lifecycle
Management, the automation and
AI capabilities can help organisations
deal with this quickly. AI can be used
to automatically generate behavioural
whitelists of ‘normal’ activity to help
identify suspicious behaviour patterns
and automatically identify and alert on
potential threats and breaches. Once
an employee is behaving in a way that
the system deems to be ‘abnormal’ for
their role, or their usual behaviour, it will
be flagged immediately to the security
system in order for them to begin the
investigation process of the lifecycle.
Is it possible to use the system to
disable a user’s account if it is
under attack?
Yes. When an organisation detects
a compromise, rapid response can
mean the difference between quick
containment and a damaging data
breach. To that end, LogRhythm’s
Threat Lifecycle Management platform
includes our SmartResponse technology
which enables automated incident
response, with optional approval
steps so that the SOC Analyst can
review the situation before executing
countermeasures.
Should an account compromise
be suspected, an account can be
automatically disabled, and access
denied - no matter what device they use.
Furthermore, multiple SmartResponse
actions can be executed from a single
alarm, enabling simultaneous or
stepped actions. n
www.intelligentcio.com