It doesn't matter how high, deep, or long the IT walls are that security pros build around their networks, it seems attackers find ways to fly over, dig under, or drill through. The most recent Verizon Data Breach Investigations Report found that more than 50 percent of all breaches were caused by some form of hacking -— and it took months to years for more than two thirds of successful breaches to be detected.
As a result of such statistics — coupled with their own experience of repeatedly cleaning infected systems despite best efforts — more enterprises have come to the realization that breaches are going to happen.
What matters, today, is how quickly they can detect and respond.
It's a fight Kevin Moore, director of IT at the national law and life sciences law firm Fenwick and West LLP, knows quite well. "Like every other organization, we have many security devices in use to protect our systems. From the network firewall, to application firewalls, monitoring systems, web gateways, to anti-malware applications," Moore says. "But as the advanced threats grow, it's getting more challenging to stop every attack," he says.
Over the past few years, in fact, the FBI has warned multiple times that hackers have been increasingly targeting law firms as a way to obtain sensitive information on clients that work within industries of interest.
With all of this in mind, Moore has been working on ways to automate and speed the time to discover and then cleanse infected systems. One of the tools he turned to was FireEye, Inc. for automated malware forensics. However, because Fenwick has a small IT security team, many of the responses to potential breaches were manual and time consuming.
"When we get malware alerts, from FireEye or our web gateway for example, we'd try to isolate the machine in question, find out who the user is and where they happen to be located. We'd then dispatch a service desk agent to quarantine the machine," Moore explains.
That's certainly much more capable and proactive than most organizations today. Yet, considering the speed at which data is being exfiltrated today, Moore knew he would need to be able to move more swiftly. "We'd get data, such as that provided by FireEye, that would show the command and control server the malware was trying to communicate with, and we'd work to respond as fast as we could. But service desk agents and others have many other obligations beyond security, so we needed ways to automate even more," he says.
To shrink that time even more, Moore explored the capabilities of threat management and security analytics vendor NetCitadel. At that time, the company was just starting to develop their Threat Response Platform, Moore explains.
Sign up for CIO Asia eNewsletters.