WIXLIB

E-GuideTHREE STEPS TO WORLD-CLASSINCIDENT RESPONSE“ With Blue Coat, I can rest assured that regardless of the virility of APTs, zero-dayinfections, unknown malware or internal threats – we are prepared to face the unknown,knowing the platform is providing always-on, full visibility behind the scenes.Blue Coat helps me figure out exactly how the breach happened, so I can do my joband protect everyone else.”Major Government Defence Contractor

CONTENTSIntroducing Incident Response (IR):From prevent and protect to detect and respondPage 3The three essential steps of Incident ResponseStep 1. AssessPage 4Step 2. AnalysePage 5Step 3. ResolvePage 7Create a holistic approach: recommendationsPage 8Blue Coat Advanced Threat AssessmentPage 9Next steps Page 11INTRODUCTIONTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSECREATE A HOLISTIC APPROACHBLUE COAT ADVANCED THREAT ASSESSMENTNEXT STEPS

INTRODUCING INCIDENT RESPONSE (IR):From prevent and protect to detect and respondToday’s cybercriminals are upping the ante – building a new breed of advanced threatsthat can evade traditional perimeter defences, staying undetected on your network foran average of 206 days and wreaking havoc long before you see them.1Change your thinking.Change your security stance.At Blue Coat our approach is a pragmaticone: no matter how much effort is spenton preventing attacks, it’s likely you willbe attacked and your perimeter will bebreached. The challenge is to:on traditional prevent and protect solutions,69% claim it takes them between one andsix months to detect a breach.1 Quickly identify the attack andunderstand its scopeSixty-eight per cent of organisations believeimproved Incident Response is the best wayto mitigate future security breaches.2 How toachieve this? How to achieve this? A matureIncident Response methodology. Halt its progress before you losecontrol of data and systems; and Resolve any damage and learn fromthe experience to further strengthenyour defences.This requires shifting your security strategyfrom ‘protect and prevent’ to ‘detect andrespond’. Why? Because while Europeanfirms spend 77% of their security budgetsINTRODUCTIONTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSEEuropean detect and respond spendingwill increase from 23% to 39% by 20172What can IncidentResponse do for yourorganisation?Next we look at thethree steps a greatIncident Responsesolution should deliver. Retain evidence and impact Keep a recordof what occurred and what can be learned Enriched investigation Interrogate yournetworks to get the data you need Proactive Incident Response Detect andfully assess the threatCREATE A HOLISTIC APPROACHBLUE COAT ADVANCED THREAT ASSESSMENT1 Incident response spend up as firmsrecognise cyber attacks are inevitable,Computer Weekly, 1st June 2015.Research by Pierre Audoin Consultants2 Cyber Security Incident Response:Are we as prepared as we think?Ponemon Institute, 2014NEXT STEPS

Step 1. AssessTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSEStep 1. AssessWith network traffic emanating from such a wide variety of devices and locations,evaluating suspicious traffic, and possibly user behaviour, has never been moredifficult, nor more critical.Undertaking a thorough and rapidassessment requires a large sample size.In fact, the larger and faster the better,especially if you consider that 52% ofbusinesses expected to be compromisedin 2015 and that 90% of targets arecompromised within a week of a breach.3This is because today’s advanced newbreed of cyber attacks is incrediblysophisticated and stealthy, with intelligentevasion techniques built in, allowing themto avoid detection by some traditionalsecurity technologies.Rapid detection is essential, now more thanever, because breached organisations areincreasingly required by law to report dataloss and its outcomes.Blue Coat Incident Response supportsquick and comprehensive threatassessment with these capabilities: Records, indexes, classifies and replaysall packets, flows, files and sessionsfrom layer 2 to layer 7 Captures and records 100% of data– rather than a sample of data ormetadata – at line rate speeds,no matter how fast the network Includes 24/7 high fidelity recording ofactivity, providing full real-time visibilityof incoming and outgoing data to allowyou to replay breaches and understandtheir contextNow let’s review steptwo in your IncidentResponse strategy. Simple integration with the Blue CoatSSL Visibility solution to eradicatetraffic blind spots3 INTRODUCTIONTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSECREATE A HOLISTIC APPROACHBLUE COAT ADVANCED THREAT ASSESSMENTCyberEdge 2015 CyberThreatDefense ReportNEXT STEPS

Step 2. AnalyseTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSEStep 2. AnalyseIf, as research tells us, 43% of Incident Response engagements were the result ofmalware missed by prevention-based antivirus software, a more robust methodologyfor analysing threats is required.4In order to act on a threat in the mostappropriate way, you will need to understandthe scope of the attack as well as theattacker’s methods. It is only by thoroughlyanalysing the ‘content’ of the attack as wellas its ‘context’ that your security team willfully comprehend the ‘What’, ‘When’ and‘How’ of each issue and be empoweredto make evidence-based decisionsabout remediation.But what should you analyse and how?Let’s say you capture data from your networksessions, what are you going to compare itagainst in order to detect a threat?INTRODUCTIONTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSEYour signature-based security solutions willof course identify known threats, but giventhat new malware is released every day,those signature-based solutions are at riskof being rapidly outdated – requiring a robustpatch management strategy to keep themup-to-date.What you really need in order to analysesuspicious traffic is a facility that allows youto run your data against a much bigger poolof real-time threat intelligence, ideally takenfrom around the globe and across industries.Every sample of data must undergo deeppacket inspection too. However, given thatone of the tricks criminals use is to hidethreats in encrypted data, it’s vital that youcan also see into that ‘secured’ traffic andsend decrypted traffic to a security analyticsplatform with big data capacities.CREATE A HOLISTIC APPROACHBLUE COAT ADVANCED THREAT ASSESSMENTContinued 2014 NTT Global ThreatIntelligence ber-security-study.html4 NEXT STEPS

Step 2. AnalyseTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSEStep 2. AnalyseBlue Coat Incident Response delivers impressive analysis via these tools: The Blue Coat Malware Analysis Appliance, receives your suspicious traffic anduses custom virtual environments to detect anomalies quickly without hinderingthe performance of your applications Risk scoring of malware with the capability to plot the damage each threatcould cause Global Threat Intelligence (GTI) engine and reputation services, which correlate yourdata against our GTI, a huge pool of intelligence derived from 15,000 customersworldwide and 75 million users A 30-day data repository, giving you industry best practice for minimum termdata captureINTRODUCTIONTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSECREATE A HOLISTIC APPROACHBLUE COAT ADVANCED THREAT ASSESSMENTNEXT STEPS

Step 3. ResolveTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSEStep 3. ResolveOnce an issue has been identified, you need to understand what has happened and how.This insight will help you deliver appropriateand timely resolutions. Getting the answersto these questions relies on rich forensiccapabilities so that the more sophisticatedand ‘persistent’ elements of an attack can berecognised, fully understood and eradicated.Yet these must work extremely quickly inorder to reduce time-to-resolution.However, resolving a security issue isn’t justabout removing the malware from yoursystems, it’s about learning from each attack.That means sharing information with globalthreat intelligence systems so that intel canbe used to update other security measuressuch as endpoint protection, next generationfirewall, intrusion prevention systems andSIEM solutions.Any Incident Response investment shouldempower your security teams to recommendnew processes, user education and securitytechnologies in order to close currentsecurity gaps and strengthen your futuresecurity posture.Blue Coat Incident Response deliverssmart resolutions after a breach by: Using forensics to shrink time-toresolution – 75% of customersreduce Incident Response timesafter implementation Automating the heavy investigationwork so that your people can focuson implementing the findingsMost firms needbetween one and sixmonths to recoverfrom a breach.5 Integrating with other security incidentlogging solutions, such as SIEM Providing insights to strengthen yoursecurity strategy5 INTRODUCTIONTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSECREATE A HOLISTIC APPROACHBLUE COAT ADVANCED THREAT ASSESSMENTI ncident response spend up as firmsrecognise cyber attacks are inevitable,Computer Weekly, 1st June 2015.Research by Pierre Audoin ConsultantsNEXT STEPS

CREATE A HOLISTIC APPROACH FOR BEST RESULTSIncident Response recommendationsIncident response activity isn’t complete once a technology has been deployed –robust Incident Response requires that some additional strategies be deployed,as follows:1. Build an experienced Incident Response team – and test theirreadiness frequentlyWhat’s the next step?2. Provide clear rules – develop procedures for engagement should yourIncident Response technology be invokedDiscover whatBlue Coat IncidentResponse can dofor you: test it inyour environmentwith our AdvancedThreat Assessment.3. Measure Incident Response efficacy – using operational metrics that aretailored to your organisation and industry regulations4. Communicate effectively – create a multi-departmental Incident Responseteam who can roll out new policies on user behaviour and security processesacross the organisation5. T hink big – just as you would share information about a breach with affectedcustomers, put in place processes for communicating with your businessecosystem and security providersINTRODUCTIONTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSECREATE A HOLISTIC APPROACHBLUE COAT ADVANCED THREAT ASSESSMENTLet’s take a brief lookat how it works NEXT STEPS

BLUE COAT ADVANCED THREAT ASSESSMENTMake evidence-based improvement decisionsHave your defences been breached?At Blue Coat we believe in the importance ofmaking evidence-based security decisions.This is why we created the Advanced ThreatAssessment (ATA). Think of it as a kind ofproof of concept that allows you to deployour Incident Response technology in yourenvironment for 1-2 weeks to see whatthreats it discovers in your environmentand how you could resolve them.It works on a monitoring only basis, givingyou complete visibility of the security issuescurrently at play in your network withoutimpacting your employees’ productivity.INTRODUCTIONTHE THREE ESSENTIAL STEPS OF INCIDENT RESPONSEBlue Coat Advanced ThreatAssessment: How it worksASSESS Identifies security risksand ranks them according to severity.Correlates them with your securityinvestments, highlighting gapsANALYSE Performs root cause analysisto identify the problem’s source.Investigates and remediates breachesquickly to contain incidentsContinued RESOLVE Recommends how to closeexisting gaps and prioritises futuresecurity investmentsCREATE A HOLISTIC APPROACHBLUE COAT ADVANCED THREAT ASSESSMENTNEXT STEPS