Intelligent CIO Middle East Issue 17 | Page 87

FINAL WORD
ENSURE YOU HAVE BASELINE DATA FOR YOUR ENVIRONMENT . YOU MAY CALL IT PEACE TIME LEARNING AND ANY CHANGES TO THE BASELINE COULD POSSIBLY ACT AS AN EARLY WARNING FOR A POSSIBLE BREACH . SOME SIEM SOLUTIONS HELP YOU CREATE THIS BASELINE DATA
MAJID KHAN MSS Architect at Help AG
Implement incident

3 response plans So , now that you have adequate preventive security controls & you are monitoring your environment , it ’ s time to move further . As mentioned at the start of this write-up , no matter how many security measures are in place , it may never be enough to stop an extremely motivated hacker . Hence , it ’ s important that we have incident response plans which can be invoked during a breach , thereby limiting the time of exposure due to the breach .

To emphasise on my point , I would like to cite data from the Trustwave Global Security Report 2016 which compared the number of days taken from intrusion to its containment . Although it showed a downward trend , it found that in general , it took more than 60 days to contain an incident , which means , organizations are exposed for this period .
Some incident response plans may merely be created on a word document and expected to be followed during
breaches . It is a good start , however , I recommend using security incident response tools which can be used by an SOC analyst guiding them through the entire process of incident handling . This will ensure all aspects of security incident handling are covered .
To further enhance incident response capability , organizations should look at orchestration of actions required to contain or mitigate the impact of security breaches .
Implement predictive

4 controls Once the organisation has successfully implemented & maintained all the previous stages , the next step is to start predicting breaches before they actually occur . As you would guess , it ’ s never easy to predict something which has not happened yet , however , assuming that all previous stages have been well implemented , you can utilise them for this stage .

Predicting attacks will require multiple aspects :
Baseline- Ensure you have baseline data for your environment . You may call it peace time learning and any changes to the baseline could possibly act as an early warning for a possible breach . Some SIEM solutions help you create this baseline data .
Threat hunting- Partially related to the previous point , you , or your MSSP , could have threat hunting as one of the capabilities where analyst hunt for threats in your environment . In some case , this could be post breach while in others , you could pick it up during the early stages .
Intelligence from Dark Web- In order to explain this point , I will draw an analogy to the intelligence that countries use to predict any planned terrorist activities that might occur against them . They have informers , and so too , companies can subscribe to services from companies who have presence and / or harvest the dark web . This information could include planned attacks / campaigns on specific industry , region or company . This information can be utilised to know if you / your sector is being targeting and will thus enable you to be ready for it in advance .
As I mentioned earlier . Each of these stages requires regular review to ensure they are fit for purpose and that the most relevant level of controls exist . www . intelligentcio . com INTELLIGENTCIO
87