Several different measures of effectiveness tell us incident response (IR) generally takes too long and costs too much. For example, a global study by Poneman in 2018 found the mean-time-to-identify (MTTI) grew to 197 days from 191 days year-over-year. In addition, the time to remediate a breach also grew from 66 to 69 days. This all comes at a price too – the average cost of a breach tallied up to $3.86 million.
Why? Many security teams don’t have sufficient incident response plans implemented consistently across their organization. The study suggests analysts knew or had a hunch, there was an incident unfolding, but they didn’t have the network visibility to understand where.
Fortunately, Bricata and Ixia, a Keysight Business, have worked together to design and test a way for incident responders to easily build and deploy flyways kits that solve this problem. The solution uses Ixia network taps and packet brokers to collect network data which is then forwarded to the Bricata platform for threat detection and analysis.
These flyaway kits for network incident response are designed to quickly give security analysts visibility where an incident is emerging. These are especially useful under the following conditions:
- an environment is not properly instrumented;
- the response team is unfamiliar with the environment; and
- incident responders lack the tools and data to conduct a proper threat investigation.
Experts from both companies described the benefits, characteristics, components and real-life use cases during a recent webinar. The webinar was recorded and is available now for on-demand viewing. Below are a few notes our team took from the webinar to provide some context.
1) Key benefits of network flyaway kits.
What can a security professional or incident responder expect to gain from building a flyaway kit? The webinar presenters identified four high-level benefits including:
- Instant visibility. When an incident responder arrives on-scene, the flyaway kit provides effortless access to the compromised (or potentially compromised) network in seconds.
- A consistent analysis platform. A security breach is naturally an unpredictable situation, so well-designed flyaway kits must perform predictably. This allows incident responders to focus on indications of compromise (IOCs) and remediation. In addition, consistency inherently improves an organization’s ability to develop playbooks for responding to future incidents.
- Portability. Portability enables incident responders to bring a flyaway kit to wherever and whenever it’s needed – even to incidents in remote or austere locations.
- Lower total cost of ownership (TCO). Some security tools are too expensive to deploy across an entire network. Flyaway kits allow responders to focus advanced and best-of-breed security technology when and where they need it the most – without breaking the budget.
2) Characteristics of effective flyaway kits.
Flyaway kits should be purpose-built for the incident responder. As such, there are several considerations that need to be woven into a tool they can use to shorten the time it takes to detect and remediate threats.
- Physical dimensions. The size of a flyaway kit is driven by the mobile nature of the expected use cases. This can range from about the size of a suitcase – that can fit in an overhead compartment on an airplane – to a full data center rack for extended incidents.
- Reliable access to network data. Incident responders need a reliable way to access network data and provide non-intrusive network packet acquisition.
- Traffic and data grooming. Network traffic data can sometimes offer better performance in the analysis if it is groomed before being forwarded. For example, an incident response team reacting to a suspected database breach could speed up their investigation with the capability to filter out any traffic other than HTTP, SQL and Oracle-related traffic before sending the data to an analysis platform.
- Supports workflows. Expert workflows should be built in to facilitate incident response and threat hunting based on best practices.
- Threat detection and analysis. Effective flyaway kits should be capable of performing full-spectrum threat detection, packet capture (PCAP), threat hunting and collect data that supports remediation activities later.
- Report generation. Reporting in any tool must be intentional. This helps responders easily provide updates throughout the incident, report on the final root cause and document lessons learned.
3) Key components of effective network flyaway kits.
Network flyaway kits – supported by Bricata and Ixia – have three basic components:
- A network tap. This is a passive device that provides access to network data. Any data flowing across the network also passes through the tap. In incident response, this is a better option than an existing port span because it won’t consume native processing resources and avoids the potential impact for inadvertent misconfiguration.
- Packet broker. The packet broker replicates the data passing through the network tap and forwards it to the network analysis platform. It manages network speed and media-type conversions between network and analysis platform – and performs any of the data grooming that may be advantageous for accelerating the investigation.
- Threat detection and analysis platform. The threat detection platform provides the visibility, threat detection, threat hunting and post-detection actions that are critical for incident responders to quickly diagnose and remediate unfamiliar network.
Watch the Recorded Webinar on Incident Response
The full webinar explores flyaway kits for incident response. It runs just about 50 minutes including a question and answer period. A complimentary recording of the webinar is available for viewing at your convenience here: Every Second Counts: Get your Flyaway Kit to Speed Incident Response.
If you enjoyed this post, you might also like:
Triage, Scoping and Threat Hunting: Maslow’s Hierarchy of Needs in Incident Response