3 Common Myths that Can Derail Endpoint Incident Response Initiatives
The current corporate security environment includes many preventive systems on the network as well as endpoints such as anti-virus, firewalls, DLP tools etc. However, with the fast-changing environment including things like explosion in endpoint diversity, use of external networks, increase in automation and data-centric business models, IT is laden with some deep-seated misconceptions around security that could prove to make things challenging in the future. Three such crucial myths stem due to what is called the status quo bias in psychology:
“MY EXISTING SYSTEMS DEAL VERY WELL WITH IDENTIFYING VULNERABILITIES AND MALWARE”
The general assumption is that the existing systems are state-of-the-art preventive mechanisms, and are sufficient to handle threat, vulnerability or any security incident. However, today’s’ organized cyber criminals find ways to break into a system and get away with a lot of information by employing several advanced tactics such as Zero-day attacks (used to limit the exposure of routers, anti-virus software, and personal firewalls) malware-free intrusions and more. These techniques are much ahead of the existing preventive security solutions and could cause a major security incident.
The current preventive systems are absolutely necessary, but it would be a fallacy to consider them sufficient by themselves. Enterprises should definitely use perimeter security and prevention tools such as anti-virus or firewall, but should also consider endpoint detection and response (EDR) tools like Sentient while developing their incident response strategy to quickly identify the effect of the attack.
“MY CYBER SECURITY EXPERTS KNOW EVERYTHING”
A second status quo bias is with respect to people, or more precisely, what makes them really productive and efficient. While the resident security experts might be capable, they need to be given the best tools, resources and data to be able to really excel and thwart real attacks. Investigating an incident without the right tools can lead to a highly inefficient investigation or even one that goes in the wrong direction. Even the best investigator cannot find real answers unless he or she has the best tools at their disposal. Similarly, cyber security experts need deep visibility to recognize broken configurations, detect the symptoms or early signs and quickly take corrective actions. Examples of such artifacts that are required could be system logs, files, processes that are running, latest installed software and their version and many more.
“I CAN TREAT ALL PROBLEMS THE SAME WAY”
Many IT teams usually have some standard set of responses to a security incident or a problem that arises, like blacklisting software, making policy changes, increasing restrictions and controls, etc. Responding to problems with the same set of long-term solutions can lead to a slow deterioration in productivity. Even short-term actions that are taken in haphazard fashion such as quarantining machine, removing spyware from a group of machines, uninstalling applications from machines of a specific subnet etc. don’t help in understanding the depth and source of the problem. It is important to go deeper to get information such as source of the attack, how deeply it has penetrated, if it has affected just some parts of the network or more, has a similar kind of incident happened in past etc. This information helps take appropriate actions instead of providing a solution that could either be too narrow or too broad. Endpoint detection and response tools such as Sentient can help unearth and analyze every small information from the endpoints that can assist incident response teams in treating each incident uniquely.