The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting, remediating or investigating incidents, especially at scale. New solutions are needed that enable IT operations and incident response teams to move quicker and act smarter across distributed networks, distributed clouds, and OS platforms while maintaining scalable performance.
The government would also benefit from reexamining the thinking behind how it approaches cybersecurity. A reevaluation of the efficacy of siloed efforts could help the government move from a layered approach to a more holistic approach. Siloed tools—which collect fragmented and outdated data—create a disconnect between the detection and remediation of security issues, making it much more difficult to boost the cybersecurity posture of the government as a whole.
Incident response teams defending high value assets are constantly under siege, and almost all are unable to effectively combat increasingly elusive and efficient attacks because of the technology they are equipped with. Legacy tools are generally incapable of providing accurate visibility and control across the environment at speeds faster than those at which malware can propagate and adapt. Malicious attackers are not bound by any rules and often strike opportunistically and behave erratically. Therefore, in order to effectively accelerate breach-to-response times, solutions must be able to provide accurate and complete data—both current and historical—in seconds. Information that is hours, days or even weeks old is simply worthless in this struggle against time.
Breaches, exploitations and incidents will continue to occur. Accordingly, an organization’s success in the cybersecurity realm will be defined by its ability to reliably reduce the “dwell time”—the time between which a compromise occurs and when it is ultimately resolved (which is often measured in months)—that they suffer. To do so, incident response teams need to be able to quickly and confidently answer the following questions every time and for any incident: What happened? Where did it happen? How did it happen? Is it still happening? Furthermore, incident response teams need capabilities that can easily take findings from single-host forensic investigations to instantly identify similarly compromised systems enterprise-wide. This will ensure that incidents are fully scoped and that corrective actions are applied at equal velocity to ensure attackers are unable to reestablish control before remediation is complete. Organizations need solutions that seamlessly provide comprehensive capabilities spanning from detection to forensic investigation, through remediation, with each action executed in a matter of seconds, even across the largest global networks.