Accelerating Enhanced Threat Identification and Incident Investigation

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
David Monahan
Managing Research Director, Security and Risk Mgmt.
Enterprise Management Associates
Accelerating Enhanced Threat
Identification and Incident Investigation
Stephen Hinck
Product Manager
Gigamon Insight
Steve Porcello
Sales Engineer
Gigamon Insight

Watch the On-Demand Webinar
Slide 2
• Accelerating Enhanced Threat Identification and Incident
Investigation On-Demand webinar is available here:
http://info.enterprisemanagement.com/threat-id-and-incident-
investigation-webinar-ws
• Check out upcoming webinars from EMA here:
http://www.enterprisemanagement.com/freeResearch

Today’s Speakers
Stephen Hinck, Product Manager, Gigamon Insight
After over 15 years in IT and security operations with focuses on incident response, threat detection, and building
security operations teams, Stephen has turned to using his experience and passion for the industry to focus on the
tools used by those organizations. In this product management role, he concentrates on identifying and building
tools designed to aid in securing customer environments and reducing organizational risk.
David Monahan, Managing Research Director, Security and Risk Management, EMA
David is a senior information security executive with several years of experience. He has organized and managed
both physical and information security programs, including security and network operations (SOCs and NOCs) for
organizations ranging from Fortune 100 companies to local government and small public and private companies.
He has diverse audit and compliance and risk and privacy experience such as providing strategic and tactical
leadership to develop, architect, and deploy assurance controls; delivering process and policy documentation and
training; and working on educational and technical solutions.
Steve Porcello, Sales Engineer, Gigamon Insight
Steve started out as a security analyst for organizations in the New York City area, including some in the industrial,
utility, and financial services sectors. From there, he moved into the vendor space by joining innovative cyber
security start-ups and now focuses on using his experiences in incident response to promote and educate security
teams about benefits of Gigamon Insight.

Logistics for Today’s Webinar
An archived version of the event recording will be
available at www.enterprisemanagement.com
• Log questions in the chat panel located on the lower
left-hand corner of your screen
• Questions will be addressed during the Q&A session
of the event
QUESTIONS
EVENT RECORDING
A PDF of the speaker slides will be distributed
to all attendees
PDF SLIDES
Logistics for Today’s Webinar

David Monahan
Managing Research Director, Security and Risk Mgmt.
Enterprise Management Associates
Accelerating Enhanced Threat
Identification and Incident Investigation

76 million customer
records
Banking/Finance
77 million customer
accounts
Entertainment/Online Gaming
22 million employee records
Government
110 million payment
and credit records
Retail
143 million
credit records
Consumer Credit
78.8 million
customers
Healthcare
56 million records
Home Improvement
412 million records
Entertainment/Social
3 billion records
Entertainment and News
94 million card #s
Retail
500 million customers
Hotel and Leisure
38M
Software
https://www.csoonline.com/article/2130877/data-breach/the-biggest-
data-breaches-of-the-21st-century.html
ASSUME BREACH-
Your organization will be breached at some point.
You must plan ahead to minimize both the incursion
and the related damages that occur
6 © 2019 Enterprise Management Associates, Inc.
100% of the
companies reporting
PCI compliant on
their previous PCI
audit.
This indicates a lack
of ability to provide
real security
monitoring over
“compliance.”
PCI compliancerequirementsto operate card processing

Organizations have
numerous attack surfaces
• People
• Exposed business app flaws
• Broken business processes
• Internal applications flaws
• Network architectural flaws
Security most often lacks
context and visibility
• Tools silos create blind spots
visibility
• Data silos reduce context
Lack of context creates
“noise”
• False positives
• Alert fatigue
Lack of visibility creates false
sense of security
• False negatives
• Extended breach durations and
recovery
WHY BREACHES ARE SO COMMON
Only 28% of
organizations have
alerting systems
with enough context
to provide highly
accurate incident
classification

Getting Better Context and Visibility
Through Security Analytics

SECURITY ANALYTICS FOR THREAT
DETECTION AND BREACH RESOLUTION
Understanding Security Analytics
• Put more, better-quality data together at the indication of
the incident
• Drive better business processes
• Use ML and AI algorithms
 Drive better modeling
 Create better tactical/situational analysis
Up to 95% of
incoming alerts
require manual
verification and
reclassification due
to poor initial alert
quality and
classification by the
system

SECURITY ANALYTICS FOR THREAT
DETECTION AND BREACH RESOLUTION (Cont’d)
• Use of multiple analysis techniques, including adaptive
outcome algorithms
• Provide behavioral analysis based on
 Individual and community behavioral analysis
 Using protocol, packet stream, logs
 Big data interrogation and risk profiling techniques
• Identify, prioritize, and aid in containing threat actors
48% of
organizations had a
security incident that
caused moderate to
severe business
impact

EVALUATING USE CASES ON MORE THAN
35 VENDORS
Use cases gathered from
• Current customers and prospective customers
 Indicated perceived needs from analytics prior to purchase
 Actually implemented support use cases based on
evaluations and trials
 New use cases identified after purchase
• Vendors
 Provided insights on specialized or advanced use cases
 Provided live demonstrations of applicable use cases
36% of
organizations stated
that one of their
most useful
capabilities with
respect to
accelerating breach
detection is an
“increased ability to
combine, easily
aggregate, and
cross-analyze
varied data
sources.”
EMA “Data-Driven Security
Unleashed” research

EVALUATING USE CASES ON MORE THAN
35 VENDORS (Cont’d)
• Evaluated solutions focus on security analytics in different ways
• Approaches to data collection and the types of data they collect affect
use case applicability and solution efficacy
• Given these variances, it is conceivable that more than one solution
meets the organization’s needs or that given a wide breadth of needs,
multiple solutions could be warranted

PARTICIPATION QUALIFICATIONS
• Use of multiple analysis techniques, including adaptive
outcome algorithms
• Provide behavioral analysis based on
 Individual and community behavioral analysis
 Using protocol, packet stream, logs
 Big data interrogation and risk profiling techniques
• Identify, prioritize, and aid in containing threat actors
28% of
organizations
indicate they must
devote unplanned
resources to dealing
with a security
incident daily to
weekly.
EMA “A Day in the Life of a Security
Professional” research and EMA
“Data-Driven Security Unleashed”
research

GENERAL BUYER’S NOTES
• Evaluate UIs with your current and future processes in mind
• Use to validate your processes and techniques
• Evaluate solution against current environment for increasing ROI
• Evaluate solution integrations for your 3-5 year desired state
• Measure vendor support SLAs against your business to avoid over- or
under-buying support
• Talk to other customers to get input on the solution, especially ways
they expanded their product usage

Use Case 1:
IDENTIFYING ADVANCED THREATS

• Most successful attacks are
executed using a combination
of threats
• Advanced threats are better
designed to hide themselves
and execute in a stealthy
manner
• Advanced threats leave
minimal indications of use or
existence on the target
system
• Advanced threats are most
often aimed at specific targets
• Though, in general, solutions
are based on a common pool
of algorithms, each has their
own specialized intellectual
property applied to the
problem to create a unique
solution
• This combination of
intellectual properties creates
unique analytics engines that
are each more suited to
different collections of use
cases
QUICK TAKE
48% of
organizations said a
malware attack had
a moderate to
severe impact on
their organization.
EMA “Security Megatrends”
research

#1 BUYER’S NOTE
• All analytics rely on getting good data
• Detection of advanced threats is
impossible without:
 the right data,
 at the right place,
 at the right time
• Consider your data collection and delivery
architecture
• Ensure you eliminate data silos
• Remove artificial data barriers caused by politics
and inadequate data flows
53% of
organizations stated
that they have not
established
comprehensive
baselines to
understand whether
they are in a state in
which they can
identify threats in
their environment.
EMA “Data-Driven Security
Unleashed” research

Use Case 2:
ENHANCING INCIDENT INVESTIGATION

• Investigations are a reaction
to a detected incident.
• Solutions must have access
to and be able to utilize a
broad array of data
• Analysts rely on receiving
information quickly,
accurately, and in an
intelligible format
• Automated data assimilation
and strong data presentation
are crucial for fast and
accurate response.
• Clear visuals make data
association and analysis far
easier, more accurate, and
faster
• Automated data enrichment
saves time and valuable
analyst resources
• Use of previously collected
data in analytics improves
models’ response time and
accuracy, thus reducing
attack identification time
QUICK TAKE
79% of security
teams are
overwhelmed by the
volume of alerts
they receive

BUYER’S NOTE
• Research shows that packet and flow data
are highly valued but severely underutilized
for investigations
• Use of a wide array of collectible data
increases accuracy
• Automated information gathering reduces
losses, investigation, notification, and
recovery costs, thus producing faster ROI
• Ensure that the user interface meets with the
approval of the people who will be using it

Use Cases Demo

INDUSTRY ANALYSIS & CONSULTING22 © 2018 Enterprise Management Associates
LEARN MORE
Find out how you can accelerate your threat response with
network detection and response with Gigamon Insight.
• Visit Gigamon.com/insight
to learn more or request a
personalized demo.

Accelerating Enhanced Threat Identification and Incident Investigation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Accelerating Enhanced Threat Identification and Incident Investigation

Similar to Accelerating Enhanced Threat Identification and Incident Investigation (20)

More from Enterprise Management Associates

More from Enterprise Management Associates (20)

Recently uploaded

Recently uploaded (20)

Accelerating Enhanced Threat Identification and Incident Investigation