The art of incident response is something that’s best refined over time, even though dealing with an unexpected security event at a moment’s notice is never easy. However, having the right people, processes and technologies in place can help security teams investigate and resolve incidents faster. In this post, we’ll walk through the six key areas of incident handling, and show how Proofpoint can help security teams speed insider threat investigations to supplement an effective incident response program.
Six Steps to Effective Incident Response
A solid incident response program can help teams establish the right processes to follow in the event of a security incident. If you don’t already have an incident response process in place, now is as good a time as ever to get started (rather than waiting until after an incident occurs). According to SANS Institute, the incident handling process is comprised of six key steps:
- Preparation: One of the most important (and potentially the most time-consuming) steps in an incident response process is preparation before an incident occurs. At this stage, your team should take the necessary time to solidify the organisation’s policies and incident response plan.
- Engage a cross-disciplinary team to determine a communications strategy with well-defined roles and responsibilities. Effective training is important to help team members understand exactly how their role plays out in the event of an actual incident. In some cases, incident simulations may help teams determine how to respond to an incident, and where there are potential areas of strength and weakness with their people, processes, and technology.
- At this stage, the security leadership in the organisation should also evaluate the technology stack and review which tools should be used at each phase of the incident response process. In addition, a thorough documentation process should be put into place to help the security team understand exactly what happened and prevent similar incidents from occurring in the future.
- Identification: When a security event occurs, the security team must spring into action and determine whether an alert is an actual incident that requires further attention or a false positive. In this phase, the team works to find the root cause of the incident, and gather evidence to determine a course of action.
- Containment: The containment phase is all about damage control. The security team looks to stop the damage that may have already occurred, and prevent any further issues or escalation within the affected systems. In the case of an insider threat, HR or legal teams may be engaged at this stage to determine next steps for the responsible party or parties.
- Eradication: In the eradication phase, the affected systems must be removed from production and restored in a timely manner. At this point, all malicious content must be removed from the system.
- Recovery: Before systems are taken back into production, they must be effectively tested, monitored, and validated by the security team. This stage is crucial to ensure that additional incidents do not occur.
- Lessons Learned: Finally, post-incident analysis and documentation is a critical step to determine where there are real-world flaws in the process that could be adjusted in the future. The lessons learned postmortem is extremely important for training both current and new team members on how to avoid a potential crisis in the future.
Using Proofpoint for Investigations in the Identification Phase
While identification may seem like one of the most straightforward steps in an incident response program, it rarely is -- particularly with insider threat incidents. Some security tools, such as security information and event management (SIEM) systems, cast an extraordinarily wide net when it comes to alerting teams to potential incidents. Often these systems can trigger many false positives, which can be time-consuming for teams to investigate and cause alert fatigue.
In addition, legacy data loss prevention (DLP) tools may fall short when it comes to effectively identifying insider threat incidents. DLPs can be difficult for security teams to maintain and fine-tune over time, and if they are overly slow or restrictive, employees are often crafty enough to circumvent these systems altogether.
The problem with most security tools (like SIEMs and DLPs) is that they only track data movement, rather than a combination of user and data activity. Without visibility into user activity, teams often lack the context they need to complete an effective and fast insider threat investigation. Instead, they’re left sifting through a sea of event logs in hopes of gathering the evidence they need. Or, worse, they’re missing these incidents altogether.
Dedicated insider threat management solutions like Proofpoint ITM can help security analysts know the whole story on insider threats with a wide and deep view on both user activity and data movement. For example, if an incident involves an employee using their computer to exfiltrate data -- either intentionally or unintentionally -- Proofpoint ITM can look at this user’s activity and trace it to data movement or manipulation of corporate resources. With Proofpoint, a security analyst can work backwards and reverse the process of an incident to discover the chain of events, all the way back to the user who initiated the incident.
Instead of spending days or weeks on an investigation, an analyst can gather evidence in a matter of hours, and export an easy-to-understand report to other team members in the chain of command, such as HR, legal, or the executive team.
Completing an Incident Postmortem with Proofpoint
Another area where Proofpoint ITM can be extremely helpful is in the “Lessons Learned” phase. As security teams complete an incident postmortem analysis, the evidence obtained from Proofpoint ITM can help determine whether there are areas of the policy that need to be strengthened, or processes that should be refined.
In addition, insider threat statistics show that two out of three incidents involve an employee or contractor mistake. Luckily, accidental insider threat incidents are preventable with the proper training. Using Proofpoint ITM, security teams can identify individuals who may need additional one-to-one coaching. For many organisations, the lessons learned phase may include establishing a comprehensive cybersecurity awareness program for both employees and contractors who have access to sensitive corporate data.
As an internal security investigator at a pharmaceutical company in a past life, I would have loved to have a tool like Proofpoint ITM to provide detailed reports to all of the key stakeholders in the incident response program. If similar incidents kept happening on a recurring basis, we’d then know where we’d need to fill in the gaps -- whether by hiring more security personnel, training employees properly, controlling the number of people with privileged admin access, or otherwise.
Prevention is a Goal; Detection is a Must
Ultimately, no matter how prepared your organisation is, incidents are still going to happen.
If prevention was foolproof, no one would ever have an incident (...and wouldn’t that be nice!) It’s good to have prevention in mind as an ultimate goal when you’re thinking about the right perimeter, firewall, endpoint, and insider threat defenses.
However, effective insider threat detection is an absolute must. The better security teams get at reacting to and investigating alerts, the better off the entire organisation will be. The longer incidents persist, the more costly they can get (from both a monetary and reputational standpoint). Having a solid detection capability for insider threat investigations like Proofpoint ITM is a great place to start.