One of the key elements contributing to the success of IR operation is the quality of data IR team has access to. It is of no surprise that organizations today already collect vast amounts of data. However, a high quantity does not always ensure success. In fact, sometimes the quality of the information is inversely proportional to the raw quantity of the data.
Just like the journalist chasing a news story, the IR analyst has to be able to answer the essential questions of “Who, What, When, Where, How and Why”. With the endpoint being the primary field of battle operation today, an organization that has prepared itself for a response to an attack should be able to help Incident Responders answer those essential questions.
There are a few pre-requisites for acquiring quality data:
Requirement 1: Provide continuous stream of data from endpoints. Quality comes in terms of reliable information (information that could not have been blocked or had the flow stopped by the adversary) with the context that matters coming along with it. During a cyber-attack, the data can become stale very quickly; there is no use being informed about a downloaded malware file name if the adversary has long ago deleted their other activities. And being assured that the data flow is continuous and no gaps have occurred is critical to ensuring cyber criminals have not buried their tracks. So a detection platform that only affords scans once per day is not adequate; but rather a sensor-based system that is always on and produces continuous, uninterrupted data is the most effective way to go. And combining the two—a continuous monitoring system with a deeper dive based on daily scans—is the best of both worlds.
Requirement 2: Ability to Triage Alerts. Incident Responders need to deploy security tools that allow lower ranking operators to effectively triage alerts. This not only makes them more efficient, but more importantly it allows Incident Responders to focus on important, serious incidents rather than waste time and resources triaging old data and false positives. Proper prioritization of alerts helps eliminate “noise” and focus on real incidents; and having rich context data is a key enabler for good prioritization. The positive side effect of focused research is the shortened time to detection, otherwise known as dwell-time (currently on average, it takes over 240 days to identify adversary activity in the organization).
Requirement 3: No manipulation of data. For any endpoint detection and response system to have good data integrity, it must include safeguards that prohibit data from being erased or monitoring activities from being discontinued. One way to do this—as is done with Sentinel—is to make the sensor undetectable to malware. This renders the sensor tamper-resistant ensuring the purity of the collected data.