How to prepare NGAV for large scale attacks

By Rick McElroy and Sean Blanton, Carbon Black

Stopping cyber attacks in progress starts with asking the right questions. During a response scenario, every minute counts. The longer it takes to address an issue the more risk a business faces.

Visibility is the foundation of investigation and response. Without a full picture of everything that's is happening and has happened, response teams are at a significant disadvantage to address threats at their core.

Since compromises are measured in a matter of minutes, response teams need to be able to go from a detection of a potential indicator of attack to root cause analysis in nearly the same amount of time if the negative effects of the breach are to be mitigated. To achieve that level of speed, a business needs the right data and the ability to analyse and prioritise it quickly and efficiently.

After an incident has been discovered, new risks emerge. Unscheduled downtime of systems and people can cost the business heavily, and resources dedicated to re imaging can pull resources away from other critical IT activities. This is a function of the dated separation between IT operations and security: it gets more groups unnecessarily involved in performing time-intensive tasks related to fixing endpoints targeted in an attack.

Questions to ask

  1.  What would you say is your average response time to a security incident (from point of detection to point           of resolution)?
  2.  In a typical month how many machines are re-imaged as a result of a security incident?
  3.  How confident are you that your security team can easily search for relevant information about infected               endpoints during an investigation?

In response to this, when evaluating new generation antivirus (NGAV), enterprises should ensure that the platform:

  • Provides contextual analysis based on a complete data-set of endpoint events to remove time-intensive forensic activities and fast-track root cause analysis.
  • Contains native capabilities to quarantine infected machines and address their issues remotely.
  • Supports intuitive search functions that helps responders find the right information quickly and effectively.

The most effective NGAVs should provide administrators with the fastest way to investigate and re-mediate attacks in progress, eliminating uncertainty and reducing downtime. They should provide fast and precise investigations to reduce exposure; real-time remediation of any endpoint from a central console; and allow end users to return to work quickly without calling IT.

A favoured NGAV must enable responders to establish a secure remote shell into any system to get information, perform memory dumps, or run scripts for full remediation in minutes whether or not they are on your corporate network.

It should also allow a business to search based on key-value categories with auto-populated search suggestions, making it really easy to run more advanced and specific searches to quickly find the information staff are seeking.