We talked about starter detection and response processes, now what about the tools? Namely, tools that help you start your detection and response capability. Here, some “experts” will shout ‘screw the tools! “security is a process, not a product”’
Sadly, among the least mature organizations [at which this research is aimed!], the opposite perception is firmly in place: “security is a box, what do you mean by ‘process’… huh?” [BTW, I am not joking here – some of you reacted to my utterly depressing post with “WTF, the reality is much worse and Anton is an optimist” :-)]
In fact, I learned a fascinating concept last week: that of a “natural process.” In plain English, it is the shit you do when you have no set and/or documented process for accomplishing your goal. Example: a “natural process” for DFIR is panic, scream, turn off computers, polish your resume, then go on eBay to buy new mice because the old ones are “hacked”…
Now, a warning, before you read the below, think “STARTING”, “BEGINNER”, “LOW MATURITY” and often also “SEVERELY BUDGET CONSTRAINED.” Note this does not mean SMB, necessarily, but often does.
OK, so what are the choices?
- LOGS: A SIEM of some sort, perhaps a log management tool with decent alerting (as Gartner says here). Notably, SIEM is ***NOT*** at all an obvious choice here, but log analysis of some sort probably is (also see debate below that post), due to its breadth and flexibility of covered use cases.
- TRAFFIC: A network detection tool of some sort (we can debate NIDS vs NTA later); it may be something that is a module in your UTM or a firewall, or a good old IDS. Note that perhaps it is useful to differentiate between detection on the perimeter vs inside the perimeter.
- ENDPOINT: not a common starter tech choice for detection (but very much so for incident response). Still, we expect that as EPP and EDR merge together, it will be more popular. Or, perhaps, OSSEC HIDS suffices for some? [here is a fun debate on this topic, but admittedly NOT between or for the beginners, because APT :-)]
What is obviously missing? Ah, glad you asked!
- MSSP / MDR with whatever technology they bring (typically, logs, but nowadays often a combination of logs + traffic, and occasionally logs + endpoint via EDR) [note that it is often advisable to combine an MSSP with your own log management, such as for IR and troubleshooting]. Note that our existing guidance favors this approach quite a bit.
Anything else? Some “spork-style” tool that combines several/all of the above? Or, perhaps, our thinking is too constrained by the above categories?
Blog posts related to this project: