Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Automating incident response lets IDT take battle to the enemy

Maria Korolov | May 6, 2015
Two years ago, attackers had Newark-based telecom and payments provider IDT Corp. pinned down.

Then the computer, and all user files, are restored and a user can get back to work within about an hour.

The process takes longer if a user is working remotely and doesn't have access to the company's 10 Gigabit network.

"So, for the mobile workforce, we actually do something else," said Ben-Oni. "We'll direct them to a workspace in the cloud."

After the user is back at work, the machine is watched for the next 48 hours.

"We make sure that that host cannot execute any code that we did not install — a white list — because there's always an opportunity that the host will get reinfected after you reimage it and reinstall user files back on the system," he said.

For production servers, the process is even faster. If there's a secondary system in the environment, the infected server is simply taken offline and the backup goes to work, with no impact on delivered services.

"In the production environment, we have automation tools on Amazon and VMware to spin up new hosts or change the load balance configuration to direct traffic to backups or hot standbys," he said.

Incident investigation

Each high-priority, high-fidelity alert processed automatically would save an employee up to nine hours of work, or more.

Time that they could now spend investigating alerts that require human investigation.

There were plenty of these alerts coming into IDT every day, alerts that would not be normally considered high-fidelity.

In the past, most of these alerts would have been ignored because there was simply not enough time to handle them.

Over the past couple of years, there were plenty of news headlines about what happens then.

"With many of the data breaches — like Target, Home Depot and others — security teams were sent alerts but the teams were unable to determine which were the highest risk," said Muddu Sudhakar, co-founder and CEO at security vendor Caspida.

This is the kind of thing that keeps IDT's Ben-Oni up at night.

"When we started to manually investigate them, it became clear that many of these alerts were actually very serious," Ben-Oni said. "Are we seeing everything we need to see? And once we do see things, are we reacting to them appropriately? For us, reacting to them appropriately means reacting to every event, and determining if they are significant."

But even with automated remediation, IDT still didn't have enough resources to investigate 80 to 90 percent of all the alerts coming in.

And the investigations that were involved were very time-consuming. Analysts had to pivot between different systems, look at the context of what was happening on the machine and networks, and sandboxing and analyzing code.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.