In the previous post, we discussed why every organization, regardless of how sophisticated its IT security infrastructure and operations are, needs an incident response plan. The first goal is always to prevent a data breach from happening. However, if there’s one thing we’ve learned about data breaches during the past five years, it’s that even the largest retailers, financial institutions, Internet giants and government agencies can be victimized.
That’s why you need to create, document, test and continually update an incident response plan that details exactly what needs to happen after a security incident to restore normal business operations and communicate with those affected.
Without proper planning and communication, an organization could suffer irreparable damage. Part of the problem is the time it takes – several months or more in many cases – to detect an attack. This extended period of dwell time enables hackers who have already compromised a network to identify and exploit more vulnerabilities, move across the network, and steal, delete and lock down data. As a result, the threat becomes more difficult to eliminate and the recovery process becomes more complicated and expensive.
Slow threat detection is often caused by the high number of alerts generated by security systems that identify threats based on abnormal behavior. Organizations typically err on the side of caution, choosing to deal with a high number of alerts rather than risk missing a threat. But security teams can easily become bogged down chasing false positives, which delays the analysis of alerts involving truly malicious threats.
At the same time, trivial-true positives, which involve alerts that are technically correct but not dangerous, can also drain security resources. In fact, it takes far longer to determine context and triage a trivial-true positive than a false positive. Both create inefficiencies and add cost to security operations and incident response.
We recently discussed how Windows Defender Advanced Threat Protection (ATP) uses attack surface reduction to eliminate vulnerabilities and enable organizations to better focus their defenses. Similarly, Window Defender ATP offers features that aid in incident response by improving the speed and accuracy of threat detection, investigation and remediation.
Windows Defender ATP endpoint detection and response capabilities make it possible to detect attacks in near real time, aggregate and prioritize alerts, and streamline the investigation of threats. All data is organized and visually represented in the Incidents queue and Alerts queue through the Windows Defender ATP security operations dashboard. Security teams can quickly determine which incidents and alerts require a response.
The Automated investigations feature uses advanced inspection algorithms and analysis processes to assess alerts and immediately respond to breaches. This significantly reduces the number of alerts that require investigation by human security analysts. Windows Defender ATP also uses advanced hunting to enable security teams to track down potential threats, using a sophisticated search and query tool and custom detection rules.
While data breach prevention continues to be the top priority, organizations must assume that a breach will happen and plan accordingly. Let us show you how Windows Defender ATP supports incident response and helps you minimize the impact of security incidents.
Written and composed by Principal, Steve Soper