Aug 24, 2021

How Real-Time Incident Response Resolves the Inevitable Breach

The rapid increase in remote working has created new challenges where forensics teams must act quickly to remediate breaches.

By Tanium Staff

Breaches are inevitable if your organization has endpoint devices connected to the public-facing internet. Chief information security officers (CISOs) are increasingly turning to solutions and strategies that reduce mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR). Incident response and forensics teams today recognize the need to collaborate more effectively to ensure that on-premises and remote endpoints are configured, controlled, and secured.

A new study from analyst Alissa Knight, titled Isolated Castles: Incident Response in the New Work-From-Home Economy, strongly recommends that CISOs must focus on finding the best integrated endpoint management and security platform solution where asset and patch management, artifact hunting, asset isolation, and forensic data collection can be implemented at speed and scale.

Impact of the pandemic

Last year, when the world was forced to stay home during the pandemic, threat actors quickly discovered new security gaps to exploit. Many remote-based employees immediately lacked both the licenses and bandwidth to support VPNs and consequently had no choice but to rely on Remote Desktop Protocol (RDP) servers. Other work-from-home (WFH) security issues include:

  • Default administrator passwords on home routers and Wi-Fi access points
  • Lack of network intrusion detection (IDS)
  • Absence of web filtering to check for drive-by downloads
  • Lack of endpoint detection and response (EDR) agents
  • Widespread use of insecure personal laptops

Incident response in a WFH world

For forensics teams, high-quality and real-time data is vital. Following an incident, how do you transfer data from a 1TB hard drive at a remote user’s home office to a cloud-based storage drive? Uploading the image remotely via a DSL or cable connection would take too long.

One option is to power off the laptop and send it to a forensic examiner. However, this can create additional problems, including:

  • Loss of potentially important forensic data sitting in volatile memory after powering down
  • Lack of insight into whether the home network was also compromised
  • The homeworker would be forced to rely on a potentially insecure personal device or wait for a replacement that impacts productivity

Incidents involving cloud workloads and drives can lead to additional complications, according to Knight Ink. Due to the policies of some smaller cloud service providers (CSPs) and their multitenant environments, forensics teams may not even be allowed access to logs, alerts, and other key data. Depending on the type of cloud server in use, a CSP may also prohibit the forensic team from acquiring the drives that need to be analyzed.

Two tips for better incident response

To improve incident response in today’s WFH and cloud-first setting, Knight Ink says CISOs should take two key actions:

  1. Make sure you understand how much data your CSP allows you to acquire in the event of a major security incident. Also, be sure to understand all details of the process for doing so. (These practices should also be taken into consideration when evaluating and selecting a CSP.)
  2. When selecting an endpoint management and security platform, favor one that offers the following features:
    • Asset management: You can’t protect what you can’t see. Asset capabilities can also be combined with patch management to further reduce your endpoint risks.
    • Artifact hunting: You need the ability to search assets — whether on-premises, at employee homes, or in the cloud — for malicious artifacts. That’s crucial to detecting how far an attack’s lateral movement has extended.
    • Forensic data collection: This should include logs from Syslog on *nix-based systems, Windows Event Log, and network devices such as routers and switches.
    • Asset isolation: Once an IT asset is compromised, it needs to be either isolated or micro-segmented to prevent further lateral movement. In summary, if you have enterprise assets connected to the internet, you will get breached. Every organization in today’s work-from-anywhere era must have an established incident response plan and a set of playbooks to be ready for whatever comes next. In the end, protecting the endpoint is what matters and it’s time to be better prepared for the unexpected because the unexpected can strike at any time.

Tanium offers Asset Discovery and Inventory, Patch Management and Incident Response modules that support all these requirements. Tanium’s single platform gives you the ability to both respond rapidly to incidents and perform comprehensive forensics at speed and scale — no matter where your assets are located.