The document discusses threat lifecycle management (TLM) as a framework to help organizations reduce the time it takes to detect and respond to cyber threats. It describes the typical phases of a cyber attack lifecycle and how TLM aims to detect threats earlier through six phases: 1) forensic data collection, 2) discover threats, 3) qualify threats, 4) investigate threats, 5) mitigate threats, and 6) recover from incidents. Implementing people, processes and technologies to support effective TLM across these phases can help minimize the business impact of cyber attacks.
Network security is a dynamic art, with dangers appearing as fast as black hats can exploit vulnerabilities. While there are basic “golden rules” which can make life difficult for the bad guys, it remains a challenge to keep networks secure. John Chambers, Executive Chairman of Cisco, famously said “there are two types of companies: those that have been hacked, and those who don’t know they have been hacked”. The question for most organizations isn’t if they’re going to be breached, but how quickly they can isolate and mitigate the threat. In this paper, we’ll examine best practices for effective cybersecurity – from both a proactive (access hardening) and reactive (threat isolation and mitigation) perspective. We’ll address how network automation can help minimize cyberattacks by closing vulnerability gaps and how it can improve incident response times in the event of a cyberthreat. Finally, we’ll lay a vision for continuous network security, to explore how machine-to-machine automation may deliver an auto-securing and self-healing network.
Go to www.esgjrconsultinginc.com
Some 2.4 billion global Internet users—34 percent of
the world’s population—spend increasing amounts
of time online.1 As our online activity expands,
it isn’t just creating new ways to do business. It’s
revolutionizing business. However, like any mass
movement with significant ramifications, the
Internet-enabled life has risks as well as benefits.
Some are willing to accept those risks without much
consideration. Others want to take the time for a
more contemplative response, but events are moving
too quickly for long debate. What we really need is
a Call to Action that addresses the risks demanding
urgent attention.
To balance the benefits of the digital life,
management needs to understand and grapple
with four equally powerful forces:
Democratization – The way customers insist
on interacting via the channels they prefer,
rather than the channels the organization
imposes.
Consumerization – The impact of the many
devices and applications that span work and
play in our digital lives.
Externalization – The ways in which cloud
computing slashes capital expenditure and
shakes up how data moves in and out of
organizations.
Digitization – The exponential connectivity
created when sensors and devices form the
“Internet of Things.” These forces interact in ways
that make eradicating Cyber Risk impossible;
eliminating it in one area simply shifts it to the
others.
However, by following best practices, it is possible
to reduce your organization’s exposure to Cyber
Risk across the board. By addressing the real and
growing risks we face as individuals, businesses, and
governments, we can begin to create an optimal
environment of Cyber Resilience. This Manifesto sets
out a road map for that process.
Network security is a dynamic art, with dangers appearing as fast as black hats can exploit vulnerabilities. While there are basic “golden rules” which can make life difficult for the bad guys, it remains a challenge to keep networks secure. John Chambers, Executive Chairman of Cisco, famously said “there are two types of companies: those that have been hacked, and those who don’t know they have been hacked”. The question for most organizations isn’t if they’re going to be breached, but how quickly they can isolate and mitigate the threat. In this paper, we’ll examine best practices for effective cybersecurity – from both a proactive (access hardening) and reactive (threat isolation and mitigation) perspective. We’ll address how network automation can help minimize cyberattacks by closing vulnerability gaps and how it can improve incident response times in the event of a cyberthreat. Finally, we’ll lay a vision for continuous network security, to explore how machine-to-machine automation may deliver an auto-securing and self-healing network.
Go to www.esgjrconsultinginc.com
Some 2.4 billion global Internet users—34 percent of
the world’s population—spend increasing amounts
of time online.1 As our online activity expands,
it isn’t just creating new ways to do business. It’s
revolutionizing business. However, like any mass
movement with significant ramifications, the
Internet-enabled life has risks as well as benefits.
Some are willing to accept those risks without much
consideration. Others want to take the time for a
more contemplative response, but events are moving
too quickly for long debate. What we really need is
a Call to Action that addresses the risks demanding
urgent attention.
To balance the benefits of the digital life,
management needs to understand and grapple
with four equally powerful forces:
Democratization – The way customers insist
on interacting via the channels they prefer,
rather than the channels the organization
imposes.
Consumerization – The impact of the many
devices and applications that span work and
play in our digital lives.
Externalization – The ways in which cloud
computing slashes capital expenditure and
shakes up how data moves in and out of
organizations.
Digitization – The exponential connectivity
created when sensors and devices form the
“Internet of Things.” These forces interact in ways
that make eradicating Cyber Risk impossible;
eliminating it in one area simply shifts it to the
others.
However, by following best practices, it is possible
to reduce your organization’s exposure to Cyber
Risk across the board. By addressing the real and
growing risks we face as individuals, businesses, and
governments, we can begin to create an optimal
environment of Cyber Resilience. This Manifesto sets
out a road map for that process.
This white paper provides guidance for how to adopt an Intelligence-Driven Security strategy that delivers three essential capabilities: visibility, analysis, and action.
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
Netwealth educational webinar: Peace of mind in a digital worldnetwealthInvest
According to the latest research from cyber security firm, Kamino, 45% of financial advisers had experienced a cyber incident last year.
Julian Plummer, founder of Kamino, delves into why cyber security is a very real issue for financial advisers and their clients, and the types of cyber incidents that are impacting the financial planning industry. He also provides easy to implement measures to help you improve the cyber security of your practice.
M-Trends® 2013: Attack the Security GapFireEye, Inc.
Mandiant’s annual threat report reveals evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year. The report, compiled from hundreds of Mandiant advanced threat investigations, also includes approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends.
The 2016 Ponemon Cost of a Data Breach StudyIBM Security
View on-demand webinar: https://securityintelligence.com/events/2016-ponemon-cost-data-breach/
Please join IBM and Larry Ponemon, Chairman and President of the Ponemon Institute, as he shares the results of his 2016 Cost of a Data Breach study and discusses the implications of the study for today’s businesses with Adam Trunkey, Portfolio Marketing Executive, for IBM Security Services.
In this on-demand webinar, you will learn the key findings of the study, including:
- What are the major cost implications from a security incident perspective in key geographies across the globe
- Key industries affected and what were the specific costs reported by respondents
- Major factors that affect the financial consequences of a data breach
- What mega trends are developing based on a decade of studying data breaches?
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
Businesses of all sizes are targeted by hackers to gain access to proprietary and customer data, threatening your ability to operate or even remain open for business.
Learn how to protect your business from threats and position it for growth.
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
Considering the increased number of cyberattacks and the significant damage caused to the IT infrastructure, organizations should ensure that their efforts to secure IT operations are linked with efforts to maintain resiliency within organizations.
The webinar covers
• Cybersecurity during pandemic through statistics
• Attack trends during pandemic
• Mitigating steps to take
• Relevance of IT Disaster Recovery in the time of Cloud computing
• Achieving optimal alignment and efficiency regarding your ISMS, BCP, BIA and Risk Management efforts
• Post-pandemic cyber and privacy considerations
• BCP and pandemic scenario planning 'beyond COVID'
• How to keep your privacy policy and incident response plan actionable
• How to keep your BCP short, sharp, up-to-date and user-friendly during an actual invocation
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/0AbrywA5oic
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
Targeted attacks and advanced persistent threats (APTs) are becoming the new norm of cyber security threats— encompassing organized, focused efforts that are custom-created to penetrate enterprises and government agencies for valuable data, trade secrets, and access to internal systems. We explore the anatomy of targeted attacks: the inner workings of the APT lifecycle, along with an in-depth overview of Trend Micro Deep Discovery advanced threat protection solution, and how it enables enterprise IT to adopt a custom defense strategy that modernizes its risk management program to defend against targeted attacks.
Bases y condiciones - Concurso Califiquemos a Quienes ElegimosFundacionCIRD
Bases y Condiciones del Concurso "Califiquemos a Quiénes Elegimos", organizado por la Fundación CIRD. El plazo de vigencia es a partir del miércoles 30 de abril al viernes 30 de mayo del 2014, en las categorías: Ensayo, Fotografía Profesional y Fotografía Smartphone.
This white paper provides guidance for how to adopt an Intelligence-Driven Security strategy that delivers three essential capabilities: visibility, analysis, and action.
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
Netwealth educational webinar: Peace of mind in a digital worldnetwealthInvest
According to the latest research from cyber security firm, Kamino, 45% of financial advisers had experienced a cyber incident last year.
Julian Plummer, founder of Kamino, delves into why cyber security is a very real issue for financial advisers and their clients, and the types of cyber incidents that are impacting the financial planning industry. He also provides easy to implement measures to help you improve the cyber security of your practice.
M-Trends® 2013: Attack the Security GapFireEye, Inc.
Mandiant’s annual threat report reveals evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year. The report, compiled from hundreds of Mandiant advanced threat investigations, also includes approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends.
The 2016 Ponemon Cost of a Data Breach StudyIBM Security
View on-demand webinar: https://securityintelligence.com/events/2016-ponemon-cost-data-breach/
Please join IBM and Larry Ponemon, Chairman and President of the Ponemon Institute, as he shares the results of his 2016 Cost of a Data Breach study and discusses the implications of the study for today’s businesses with Adam Trunkey, Portfolio Marketing Executive, for IBM Security Services.
In this on-demand webinar, you will learn the key findings of the study, including:
- What are the major cost implications from a security incident perspective in key geographies across the globe
- Key industries affected and what were the specific costs reported by respondents
- Major factors that affect the financial consequences of a data breach
- What mega trends are developing based on a decade of studying data breaches?
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
Businesses of all sizes are targeted by hackers to gain access to proprietary and customer data, threatening your ability to operate or even remain open for business.
Learn how to protect your business from threats and position it for growth.
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
Considering the increased number of cyberattacks and the significant damage caused to the IT infrastructure, organizations should ensure that their efforts to secure IT operations are linked with efforts to maintain resiliency within organizations.
The webinar covers
• Cybersecurity during pandemic through statistics
• Attack trends during pandemic
• Mitigating steps to take
• Relevance of IT Disaster Recovery in the time of Cloud computing
• Achieving optimal alignment and efficiency regarding your ISMS, BCP, BIA and Risk Management efforts
• Post-pandemic cyber and privacy considerations
• BCP and pandemic scenario planning 'beyond COVID'
• How to keep your privacy policy and incident response plan actionable
• How to keep your BCP short, sharp, up-to-date and user-friendly during an actual invocation
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/0AbrywA5oic
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
Targeted attacks and advanced persistent threats (APTs) are becoming the new norm of cyber security threats— encompassing organized, focused efforts that are custom-created to penetrate enterprises and government agencies for valuable data, trade secrets, and access to internal systems. We explore the anatomy of targeted attacks: the inner workings of the APT lifecycle, along with an in-depth overview of Trend Micro Deep Discovery advanced threat protection solution, and how it enables enterprise IT to adopt a custom defense strategy that modernizes its risk management program to defend against targeted attacks.
Bases y condiciones - Concurso Califiquemos a Quienes ElegimosFundacionCIRD
Bases y Condiciones del Concurso "Califiquemos a Quiénes Elegimos", organizado por la Fundación CIRD. El plazo de vigencia es a partir del miércoles 30 de abril al viernes 30 de mayo del 2014, en las categorías: Ensayo, Fotografía Profesional y Fotografía Smartphone.
Textos do Papa Francisco e outros durante a JMJ 2013Natalia Lott
Compilado de textos, discursos, homilias e entrevistas proferidos pelo Papa Francisco e outras autoridades durante a 28º Jornada Mundial da Juventude, evento realizado entre os dias 22 e 28 de Julho de 2013, na cidade do Rio de Janeiro, e a visita do Santo Padre à Basílica de Aparecida, no dia 24 de Julho do mesmo ano.
Slide da disciplina de Introdução aos Padrões Web e Tecnologias para o Ambiente Digital, ministrada pelo professor Thiago Prado Campos - Aula 03 - 10/06/2011
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
A Time of Great Risk: The Time Between Compromise and Mitigation
In most organizations today, threat detection is based on various security sensors that attempt to look for anomalous behavior or for known signatures of malicious activity. These sensors include firewalls, intrusion detection/prevention systems (IDS/IPS), application gateways, anti- virus/anti-malware, endpoint protection, and more. They operate at and provide visibility into all layers of the IT stack.
Read the following whitepaper to learn:
1. The top 5 vulnerabilities for most data breaches in the Retail industry
2. Where do most attackers come from? And what motivates them?
3. The 3 essential parts of a security strategy to protect from intrusions
We are a new generation IT Software Company, helping our customers to optimize their IT investments, while preparing them for the best-in-class operating model, for delivering that “competitive edge” in their marketplace.
Toward Continuous Cybersecurity With Network AutomationKen Flott
Network security is a dynamic art, with dangers appearing as
fast as black hats can exploit vulnerabilities. While there are
basic “golden rules” which can make life difficult for the bad
guys, it remains a challenge to keep networks secure. John
Chambers, Executive Chairman of Cisco, famously said “there
are two types of companies: those that have been hacked, and
those who don’t know they have been hacked”. The question
for most organizations isn’t if they’re going to be breached, but
how quickly they can isolate and mitigate the threat.
In this paper, we’ll examine best practices for effective
cybersecurity – from both a proactive (access hardening)
and reactive (threat isolation and mitigation) perspective.
We’ll address how network automation can help minimize
cyberattacks by closing vulnerability gaps and how it can
improve incident response times in the event of a cyberthreat.
Finally, we’ll lay a vision for continuous network security, to
explore how machine-to-machine automation may deliver an
auto-securing and self-healing network.
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
Cutting through the APT hype to help businesses prevent, detect and mitigate advanced threats.
Sophisticated cyber-espionage operations aimed at pilfering
trade secrets and other sensitive data from corporate networks currently present the biggest threat to businesses. Advanced threat actors ranging from nation-state adversaries to organized cyber-crime gangs are using zero-day exploits, customized malware toolkits and clever social engineering tricks to break into corporate networks, avoid detection,
and steal valuable information over an extended period
of time.
In this presentation, we will cut through some of the hype
surrounding Advanced Persistent Threats (APTs), explain the
intricacies of these attacks and present recommendations to
help you improve your security posture through prevention,
detection and mitigation.
The Custom Defense Against Targeted AttacksTrend Micro
Advanced persistent threats (APTs) and targeted attacks have a proven ability to penetrate standard security defenses and remain undetected for months while siphoning valuable data or carrying out destructive actions. We review challenges faced by information security leaders, their options for dealing with attackers and how to a Custom Defense approach to deploy a comprehensive Detect—Analyze—Adapt—Respond lifecycle that enhances current security investments while providing new weapons to fight back against their attackers.
Internet, Cyber-attacks and threats are becoming more prevalent. This Infographic explains the current state, and things to consider for yourself and your business.
Cybersecurity Interview Questions and Answers.pdfJazmine Brown
Cyber security professionals are in high demand, and those willing to learn new skills to enter the area will have plenty of opportunities. Our goal is to present you with the most comprehensive selection of cybersecurity interview questions available.
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
Companies are under increasing risks of breaches, theft of intellectual property and erosion of customer trust. CIOs and CISOs need to be able to explain to executive management what's being done to shore up their company's security strategy and defenses.
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
Hundreds of companies, and the most demanding Federal agencies rely on DMI for Mobile Security services and solutions. And with more than 500,000 devices under management, we know how to do it right.
Now we’ve distilled 9 years of Mobile Security best practices into a white paper you can download. The paper lays out a smart, sensible approach to managing mobile risk without unnecessary cost and business disruption.
Please be our guest and check out the white paper. You’ll learn:
How to identify and protect against the threats that matter the most
What to do about “the hottest new technologies”
How to get the most protection for the least cost and disruption
The key differences and similarities between Mobile and traditional cybersecurity
- See more at: http://dminc.com/solutions/enterprise-mobility-services/mobilesecuritywp/#sthash.yTptNZRw.dpuf
Understanding the Biggest Cybersecurity Threats for Businesses Today.pdfVLink Inc
"Understanding the Biggest Cybersecurity Threats for Businesses Today.pdf" provides a comprehensive overview of contemporary cyber dangers confronting businesses. Delving into evolving tactics like ransomware, phishing, and data breaches, it equips readers with vital insights and strategies to safeguard their enterprises from digital threats in an increasingly interconnected world.
https://www.vlinkinfo.com/blog/biggest-cybersecurity-threats/
With work from home becoming popular amid the pandemic, cyber-attacks by ransomware
operators have been on the rise and they may go on after any organization- an enterprise or a
small business, as long as they can gain access to them with ease.
No one today is a stranger to the word- Ransomware! But yes, there are certain tips and tricks
to safeguard yourself from such attacks on an organizational level. A good computer security
practice can help defend organizations against ransomware attacks.
Similar to Threat Lifecycle Management_Whitepaper (20)
1. THE THREAT LIFECYCLE MANAGEMENT FRAMEWORK
Prevent major data breaches by reducing time to detect and respond to threats
By: Chris Petersen
CTO & Co-Founder of LogRhythm
2. Table of Contents
3 Preface
4 A New Approach is Required
5 The Cyber Attack Lifecycle
6 Prevent High-Impact Cyber Incidents Through Optimized Threat Lifecycle Management
7 The Phases of Threat Lifecycle Management
Forensic Data Collection
Discover
Qualify
Investigate
Mitigate
Recover
9 How LogRhythm Accelerates Threat Lifecycle Management
10 Ways LogRhythm Expedites Delivery of TLM
11 LogRhythm’s Unified Approach Provides Lower Total Cost of Ownership and Achieves Better Results
11 Conclusion
3. PAGE 3WWW.LOGRHYTHM.COM
THE THREAT LIFECYCLE MANAGEMENT FRAMEWORK
Preface
Globally, sophisticated cyber-attacks are compromising
organizations at an unprecedented rate and with
devastating consequences. Modern attackers, including
criminal organizations, ideological groups, nation states
and other advanced threat actors are motivated by a wide
range of objectives that include financial gain, industrial
espionage, cyber-warfare, and terrorism. These attacks
are often very expensive for compromised organizations,
costing each company an average of USD $7.7M.1
1
Ponemon 2015 Cost of Cyber Crime Study
2
CyberEdge 2016 Cyberthreat Defense Report
3
Symantec, Underground black market: Thriving trade in stolen data, malware, and attack service.
November 20, 2015; Medscape, Stolen EHR Charts Sell for $50 Each on Black Market, April 28, 2014
4
Deloitte, Beneath the Surface of a Cyberattack, 2016
The Modern Cyber Threat Pandemic 3
The odds that your organization will be compromised are
high. In fact, a recent report indicates that 76 percent
of surveyed organizations were compromised in 2015.2
Against this backdrop, organizations increasingly expect
that it’s not if they will be compromised, but rather when
will they be compromised.
Regulatory fines, public relations costs, breach notification and protection costs, and
other consequences of large-scale data breaches are well-understood. But the effects
of a cyberattack can ripple for years, resulting in a wide range of “hidden” costs—many
of which are intangible impacts tied to reputation damage, operational disruption or
loss of proprietary information or other strategic assets.4
-Deloitte, Beneath the Surface of a Cyberattack
4. THE THREAT LIFECYCLE MANAGEMENT FRAMEWORK
PAGE 4WWW.LOGRHYTHM.COM
A New Approach is Required
The traditional approach to cybersecurity has been to use
a prevention-centric strategy focused on blocking attacks.
While prevention-centric approaches do stop many threats,
many of today’s advanced and motivated threat actors are
circumventing these defenses with creative, stealthy,
targeted, and persistent attacks that often go undetected
for significant periods of time.
In addition, modern organizations are exposed through
increasing interconnectedness—the growing use of
cloud-based applications, the proliferation of mobile
technologies, and the Internet of Things (IoT)—that
blends the use of consumer and corporate technologies.
The result is a rapidly growing attack surface that is
increasingly difficult for your security and operational
teams to protect without impacting the core business of
your organization.
In response to the shortcomings of prevention-centric
security strategies and the challenges of securing an
increasingly complex and open IT environment, many
organizations are progressively shifting their resources and
focusing towards strategies centered on threat detection
and response. Gartner estimates that by 2020, 60 percent
Faster Detection and Response Reduces Risk
of enterprise information security budgets will be allocated
for rapid detection and response approaches, up from less
than 20 percent in 2015.5
Security teams that are able to
reduce their mean time to detect (MTTD) and mean time
to respond (MTTR) can materially decrease their risk of
experiencing a high-impact cyber incident or data breach.
Unfortunately, the growing complexity of IT and an
increasingly hostile threat landscape has made it
challenging to realize reductions in MTTD and MTTR. Most
organizations are struggling to keep up with the volume
of security alerts—many of them false positives or of low
quality. This has created organizational “alarm fatigue” that
inhibits security teams from identifying real threats that
could lead to a damaging cyber-incident or data breach.
Security teams also often lack effective tools, automation,
and processes for streamlining threat investigations and
incident response. These challenges are evidenced when
looking at recent data breaches. Too often, the time it took
for the affected organization to discover and respond to the
data breach was measured in months, and in some cases
years, with the average time to detection being 146 days
in 2015.6
Gartner estimates that by 2020, 60 percent of enterprise information security budgets will be
allocated for rapid detection and response approaches, up from less than 20 percent in 2015.5
5
Shift Cybersecurity Investment to Detection and Response, Gartner, 2016
6
M-Trends 2016, Mandiant Consulting
5. THE THREAT LIFECYCLE MANAGEMENT FRAMEWORK
PAGE 5WWW.LOGRHYTHM.COM
Phase 1: Reconnaissance
The first stage in reconnaissance is identifying potential
targets (companies or individuals) that satisfy the mission
of the attackers (e.g. financial gain, targeted access to
sensitive information, brand damage, etc.). Once the target
or targets are identified, the attackers determine their best
mode of entry.
They determine what defenses you have in place, what
web applications or other internet-accessible systems are
in place, how to compromise external systems, and how to
gain an initial foothold on an internal device. They choose
their initial weapon based on what they discover during their
reconnaissance, whether it is a zero-day exploit, a spear-
phishing email campaign, physical compromise, bribing an
employee, or some other means of launching their initial attack.
Phase 2: Initial Compromise
The initial compromise is usually in the form of hackers
bypassing your perimeter defenses and, in one way or
another, gaining access to your internal network through
a compromised system or user account. Compromised
systems might include your externally facing servers or
end-user devices, such as laptops or desktops. Recent
breaches have also included systems that were never
traditionally considered as intrusion entry points, such
as point-of-sale (POS) devices, medical devices, personal
consumer devices, networked printers, and even IoT devices.
Phase 3: Command & Control
The compromised device is used as a beachhead into
your organization. Typically, this involves the attacker
surreptitiously downloading and installing a remote-access
Trojan (RAT) so they can establish persistent, long-term,
remote access to your environment. Once the RAT is in
place, they can carefully plan and execute their next move
using covert connections from attacker-controlled systems
on the internet.
The Cyber Attack Lifecycle
Fortunately, high-impact cyber incidents and data breaches can be largely avoided if you detect and respond quickly with
end-to-end threat management processes. When a threat actor targets your environment, a process unfolds from initial
intrusion through eventual data breach—if that threat actor is left undetected. The modern approach to cybersecurity
requires a focus on reducing MTTD and MTTR where threats are detected and killed early in their lifecycle, thereby avoiding
downstream consequences and costs.
The following graphic illustrates the Cyber Attack Lifecycle and the typical steps involved in a data breach.
Phase 4: Lateral Movement
Once the attacker has an established (persistent) connection
to your internal network, they seek to compromise additional
systems and user accounts. First, they take over the user
account on the compromised system. This account helps
them scan, discover, and compromise additional systems
from which additional user accounts can be stolen. Because
the attacker is often impersonating an authorized user,
evidence of their existence can be hard to see.
Phase 5: Target Attainment
At this stage in the lifecycle, the attacker typically has
multiple remote access entry points and may have
compromised hundreds (or even thousands) of your
internal systems and user accounts. They have mapped out
and deeply understand the aspects of your IT environment
of highest interest to them. Ultimately, they are within reach
of their target(s), and they are comfortable that they can
complete their ultimate mission at the time of their choosing.
Phase 6: Exfiltration, Corruption, and Disruption
The final stage of the Cyber Attack Lifecycle is where cost
to your business rises exponentially if the attack is not
defeated. This is the stage where the attacker executes the
final aspects of their mission, stealing intellectual property
or other sensitive data, corrupting mission-critical systems,
and generally disrupting the operations of your business. In
the event of data theft, data is often transmitted via covert
network communications across days, weeks, or even
months. Attackers will also hide activity by using seemingly
legitimate cloud-storage applications such as Dropbox and
Google Drive to steal data.
6. THE THREAT LIFECYCLE MANAGEMENT FRAMEWORK
PAGE 6WWW.LOGRHYTHM.COM
Prevent High-Impact Cyber Incidents Through Optimized Threat Lifecycle Management
The ability to detect and respond to the threat early in the Cyber Attack Lifecycle is the key to protecting your company
from large-scale impact. The earlier an attack is detected and mitigated, the less the ultimate cost to the business will
be. If a compromised endpoint is quickly removed from the environment, the cost of cleaning up additional compromised
systems due to successful lateral movement is avoided. If the attacker is detected while executing lateral movement, the
cost of clean-up might be limited to 10 compromised systems vs. thousands (or ultimately having to deal with a class-action
lawsuit resulting from a high-profile data breach).
To reduce your MTTD and MTTR, you must implement an end-to-end detection and response process—referred to as Threat
Lifecycle Management (TLM) in this paper. To realize effective TLM, you must invest in people, process, and technology. More
than ever, technology plays a critical role in realizing cost-efficient reductions in MTTD and MTTR across the TLM workflow.
Threat Lifecycle Management Overview
Threat Lifecycle Management is the fundamental workflow
of the security operations center (SOC). Yet it is important
to note that effective TLM does not require you to have or
to build a 24/7 physical SOC. While for some organizations,
a 24/7 SOC might be appropriate, for others, this is neither
feasible nor warranted. Today, technology can enable
effective TLM at the scale appropriate to your business,
whether it be a virtual SOC with an effective staff of three,
or a globally distributed 24/7 SOC with dedicated staff of 100.
Threat Lifecycle Management
Threat Lifecycle Management is a series of aligned
security operations capabilities and processes that
begins with the ability to “see” broadly and deeply across
your IT environment, and ends with the ability to quickly
mitigate and recover from a security incident. The next
section describes the capabilities and processes that your
organization must invest in to implement effective TLM
and realize reductions in MTTD and MTTR.
7. THE THREAT LIFECYCLE MANAGEMENT FRAMEWORK
PAGE 7WWW.LOGRHYTHM.COM
Phase 2: Discover
Once visibility has been established, you now stand
a chance at detecting and responding to threats.
Discovery of potential threats is accomplished through a
blend of search and machine analytics.
Search Analytics
This type of analytics is performed by people and enabled
by software. It includes things such as targeted hunting of
threats by monitoring dashboards and leveraging search
capabilities. It also includes reviewing reports to identify
known exceptions. Search analytics is people intensive.
Thus, while effective, it cannot be the sole (or even primary)
method of analytics most organizations should employ.
Machine Analytics
This type of analytics is performed by software using
machine learning and other automated analysis techniques
where outputs can be efficiently leveraged by people.
Machine analytics is the future of a modern and efficient
threat discovery capability.
According to Gartner, 25 percent of security products used
for detection will have some form of machine learning built
into them by 2018.7
The goal of using machine analytics
should be to help your organization realize a “risk-based
monitoring” strategy through the automatic identification
and prioritization of attacks and threats. This is critical for
both detecting advanced threats via data science-driven
approaches, as well as helping you orient your precious
manual analytics capabilities to the areas of highest risk
to the business.
The Phases of Threat Lifecycle Management
Phase 1: Forensic Data Collection
Before any threat can be detected, you must be
able to see evidence of the attack within the IT
environment. Because threats target all aspects of the IT
infrastructure, the more you can see, the more ably you can
detect. There are three principle types of data you should
focus on, generally in the following priority:
1. Security Event and Alarm Data
Most organizations have an array of security products
to prevent a wide range of attacks from being successful.
However, in some cases, these technologies can only warn
an attack may be in process or has occurred. In these
cases, events and alarms are generated. The challenge
most organizations deal with is rapidly identifying which
events or alarms to focus on, as tens of thousands might
be generated on a daily basis. At the same time, this is
typically the most valuable source of data your security
team has for finding evidence of a successful attack.
2. Log and Machine Data
Log data can provide deeper visibility into your IT
environment—recording on a per user, per system, per
application, etc. basis—to illustrate who did what, when,
and where. This rich set of data can support more effective
and rapid investigations of suspected attacks. The ability
to comprehend what is normal within the IT environment
is also within this dataset—enabling machine analytics to
detect behavioral anomalies that might indicate a more
advanced attack is in progress.
3. Forensic Sensor Data
Once your organization is effectively collecting their security
and log data, forensic sensors can provide even deeper and
broader visibility. Forensic sensors can fill visibility gaps
when logs aren’t available or the level of forensic detail is
insufficient. There are two primary types of forensic sensors
that might be employed:
• network forensic sensors that capture packets and flows, and
• endpoint forensic sensors (e.g., EDR agents) that can
record with high fidelity all activity occurring on the
monitored system.
Investment in forensic sensors can provide additional gains
in investigative and incident response efficiencies. This
data also enables more powerful and capable machine
analytics-driven approaches for detecting the most
sophisticated attacks.
7
The Fast Evolving State of Security Analytics 2016, Gartner
According to Gartner, 25 percent of
security products used for detection
will have some form of machine
learning built into them by 2018.5
8. THE THREAT LIFECYCLE MANAGEMENT FRAMEWORK
PAGE 8WWW.LOGRHYTHM.COM
Phase 3: Qualify
Discovered threats must be quickly qualified to
assess the potential impact to the business and the
urgency of additional investigation and response efforts.
The qualification process is manual and time intensive, while
also being very time sensitive. An inefficient qualification
process increases the level of human investment needed
to evaluate them all but an efficient process allows you to
analyze a greater number of alarms with less staff, while
also positively affecting overall MTTD and MTTR.
False positives will happen. You need the tools to identify
them quickly and accurately. Inefficient qualification could
mean a true threat (aka “true positive”) has been ignored
for hours or days. Incorrect qualification could mean
that you miss a critical threat and let it go unattended.
Philosophically and practically, it is important to note that
only qualified threats can truly be considered detected,
otherwise it’s simply noise—an alarm bell going off that
nobody really hears.
Phase 4: Investigate
Once threats have been qualified, they need to be
fully investigated to undeniably determine whether
a security incident has occurred or is in progress. Rapid
access to forensic data and intelligence on the threat is
paramount. Automation of routine investigatory tasks and
tools that facilitate cross-organizational collaboration is
ideal for optimally reducing MTTR.
Ideally, a facility for keeping track of all active and past
investigations is available. This can help ensure that forensic
evidence is well-organized and is available to collaborators.
It can also provide an account of who did what in support
of investigation and response activities to measure
organizational effectiveness and hold parties responsible
for the tasks they own in the investigation.
Phase 5: Neutralize
When an incident is qualified, you must implement
mitigations to reduce and eventually eliminate
risk to the business. For some threats, such as ransomware
or compromised privileged users, every second counts.
To maximally reduce MTTR, easily accessible and updated
incident response processes and playbooks, coupled with
automation, is critically important. Similar to the Investigate
stage, facilities that enable cross-organizational (e.g., IT, legal,
HR) information sharing and collaboration are also important.
Phase 6: Recover
Once the incident has been neutralized and risk
to the business is under control, full recovery
efforts can commence. These efforts are less time critical,
and they can take days or weeks depending on the scope
of the incident. To recover effectively and on a timely
basis, it is imperative your security team has access to all
forensic information surrounding the investigation and
incident response process. This includes ensuring that any
changes made during incident response are tracked, audit
trail information is captured, and the affected systems are
updated and brought back online. Many recovery-related
processes can benefit from automation. In addition, the
recovery process should ideally include putting measures
in place that leverage the gathered threat intelligence to
detect if the threat returns or has left behind a back door.
9. THE THREAT LIFECYCLE MANAGEMENT FRAMEWORK
PAGE 9WWW.LOGRHYTHM.COM
LogRhythm Labs has spent a decade building our MDI
knowledge base and is constantly at work adding new
devices and updating existing devices via cloud-based
delivery. Our ongoing investment in MDI, combined with
our patented data-processing capabilities, lays the critical
foundation for accurate security analytics and effective
security automation.
3. Precision Search, Rapid Decisions
Our Elasticsearch-based back-end empowers both contextual
search and unstructured search. Unstructured search allows
you to quickly and easily search data based on keyword
criteria. Contextualized search criteria provides a more
precise search experience, so you can get to the right data
and right decisions, fast. Data is displayed in a powerful and
intuitive UI, leveraging customizable analysis widgets.
4. Machine Analytics Technology
Our patented AI Engine technology employs a variety of
sophisticated analytical techniques, including machine
learning, behavior profiling, statistical analysis and black/
whitelisting. AI Engine detects threats that can only be
seen via a centralized “big data” analytics approach. It also
corroborates threats detected by other security sensors with
relevant data from across your environment.
5. Holistic Security Analytics and
User and Entity Behavior Analytics
Only LogRhythm offers out-of-the-box analytics modules
supporting user, network, and endpoint threat detection
across your holistic attack surface. For instance, our User and
Entity Behavior Analytics (UEBA) module provides out-of-the
box capabilities for rapidly detecting a wide range of user-
based threats such as compromised accounts and privilege
abuse. All analytics modules are developed & maintained by
the LogRhythm Labs threat research team and are updated
regularly through cloud updates. We provide these modules
as part of a customer maintenance contract.
6. Threat Intelligence Operationalization
LogRhythm automatically and easily integrates with
commercial, open-source, and industry-provided third-party
threat intelligence feeds and services, operationalizing
actionable threat intelligence data (e.g., CrowdStrike,
Malware Domains, STIX/TAXII). This intelligence can be
used to alarm on known indicators of compromise, provide
contextual data to existing alarms within the platform, and
as a validation point to further qualify an alarm.
How LogRhythm Accelerates Threat
Lifecycle Management
The responsibility of detecting and responding to threats
that penetrate the perimeter or originate from within is
typically borne by the security operations center (SOC).
Regardless of whether an organization employs a virtual
SOC of three or a physical SOC of 30, how well this is
executed is determined by the effectiveness of TLM. The
TLM workflow is not novel; it is and has been the core
foundation of SOC monitoring and response capabilities.
The reason large data breaches still occur is because the
TLM workflow is implemented poorly across a large number
of diverse security systems, each offering different user
interfaces, inadequate integration with other systems,
and lacking automation in the areas of advanced security
analytics and incident response. SOCs built on a foundation
of poor TLM continue to suffer from alarm fatigue and
operate with low human efficiency.
LogRhythm delivers Threat Lifecycle Management by
bringing together historically disparate security solutions
into one unified platform. The LogRhythm Security
Intelligence and Analytics Platform gives the SOC a “single
pane of glass” from which to evaluate alarms, investigate
threats, and respond to incidents. LogRhythm’s patented
security analytics capabilities automate the detection
and prioritization of real threats. In addition, our platform
provides mechanisms to orchestrate and automate the
incident response workflow. The delivery of all TLM
capabilities, with strong automation, in a unified platform,
ensure your staff can work more efficiently to realize
optimally reduced MTTD and MTTR.
10 Ways LogRhythm Expedites Delivery of TLM
1. Unbeatable Forensic Visibility
LogRhythm offers unparalleled forensic visibility by
collecting the widest variety of machine data in real-time,
including security events, audit logs, system and application
logs, flow data, and more. Basically, if it logs, we can almost
certainly collect it. In addition, purpose-built forensic
sensors provide you with deeper visibility into network
communications and endpoint activity. Central management
and administration of all this data ensures a low total cost
of ownership.
2. Machine Data Intelligence (MDI)
Simply put, nobody knows more about what log data
means than us. Our Machine Data Intelligence (MDI) Fabric™
uniformly classifies, contextualizes, and normalizes data
from over 750 different types of systems and devices.
10. THE THREAT LIFECYCLE MANAGEMENT FRAMEWORK
PAGE 10WWW.LOGRHYTHM.COM
9. Embedded Case and Incident Management
LogRhythm has a fully integrated case and incident
management system that allows security analysts to
collaborate efficiently and securely. Case management
provides a full audit history and real-time dashboard of all
active investigations and incidents. Adding an alarm to a
case is as simple as one-click, helping ensure suspected
threats are promptly tracked. An evidence locker
centralizes all forensic data associated with your active
investigations. For organizations with existing IT ticketing
and orchestration systems, LogRhythm offers an API for
bidirectional integration.
10. SmartResponseTM
Enabled Incident
Response Automation
LogRhythm’s SmartResponse plug-ins allow for proactive
mitigation of threats by automating routine investigatory
actions (e.g., scan server, dump memory) as well as
incident response countermeasures (e.g., disable user,
quarantine endpoint). SmartResponse actions are
automatically associated with specific alarms creating
pre-staged automation playbooks. Actions can be initiated
without human interaction or can require single- or multi-
party approval. Out-of-the-box functionality enables rapid
adoption, and you can easily develop your own plug-ins
to support custom workflows and playbooks.
7. Risk-Based Prioritization (RBP)
Whether threats are detected by another security product
or via LogRhythm’s AI Engine, our RBP algorithm uses
environmental risk characteristics and threat context to
assign a 100-point score to all alarms. The algorithm provides
out-of-the box prioritization, but it can also be tuned over
time based on unique organizational needs. This helps you
quickly adopt a risk-based monitoring strategy, reducing
alarm fatigue and effectively focusing your teams’ time
where it matters most.
8. Machine-Assisted Investigations
When investigating alarms, ensuring that your analysts
are looking at the “right” data is of critical importance to
investigatory efficiency and accuracy. In addition, knowing
what to search for can be challenging when analyzing
complex threat actor scenarios or behavioral abnormalities.
For every alarm LogRhythm generates, there is a machine-
assisted drill down that automatically returns the data of
highest forensic interest, helping ensure you are looking at
the right data for fastest decision support.