Enabling Agility to Accelerate Incident Response

In the previous article discussed the importance of end-to-end network visibility in protecting valuable enterprise data, and how the combination of network metadata and full packet data provides definitive evidence of network activity. To leverage this data effectively, however, it is crucial to make it available to the tools and teams throughout the enterprise for examining and resolving issues more quickly and accurately. Which brings us to the topic of this article: agility.

Enabling Agility to Accelerate Incident Response
Enabling Agility to Accelerate Incident Response

Agility, as it relates to cyberdefense and performance management, can mean two things: 1) faster, more efficient investigation of, and response to, threats/issues (“agile incident response”); and 2) rapid installation and deployment of new solutions to address these threats and issues (“agile deployment”).

Agile Incident Response

Research published last year revealed that SecOps, NetOps, and DevOps teams are buried in alerts, each of which typically requires a resource-intensive investigation and resolution process involving multiple personnel. Sadly, the norm is that there simply isn’t sufficient time to triage, prioritize and investigate all the alerts.

In addition, many of the tools SecOps and NetOps teams use don’t integrate well with each other, so beleaguered teams must switch from tool-to-tool ( “swivel chair integration”) to determine actual network activity – resulting in time delays, stress, and organizational risk.

Integrating network metadata and full packet information into security and performance monitoring tools, so analysts and teams can pivot directly to the related packets, can dramatically simplify and accelerate investigations, reducing the alert backlog and analyst fatigue. The end result is streamlined investigation workflows, more efficient and productive teams, richer contextual information for dealing with threats and – crucially – faster, more accurate incident response.

Agile Deployment

The same research report cited above found that 90% of respondents reported the process of acquiring and deploying security, network or application performance platforms is challenging. It’s a fact: selecting and deploying new security and performance monitoring tools can take months to years when an organization must consider budget, evaluation, selection, purchase, installation and integration. It’s a slow process.

Further compounding the acquisition problem is that once purchased, these security and performance monitoring solutions are expected to last their full depreciation cycle – even though security threats and network standards frequently change and evolve. The end result is organizations are often stuck with solutions that are no longer fit-for-purpose, requiring a “rip-and-replace” to meet new threats or resolve performance issues.

The lack of ability to quickly evolve systems to meet new threats or address new requirements is hampering organizations’ ability to protect and manage their networks effectively. Attackers, on the other hand, aren’t constrained by the same CAPEX and budget issues – often using the victim’s own infrastructure to host their attacks – enabling them to be extremely agile in staging their attacks.

To counter this, organizations need more agile deployment. One solution is to adopt a standardized, open hardware platform as the foundation for security and performance monitoring: a platform that can provide full packet capture, metadata indexing, and deep storage, allow standard RESTful API connections to existing toolsets and enable virtualized hosting of the network security and performance analytics applications that best suit the organization’s environment.

Adopting a standardized platform ensures a good foundation (accurate, time-stamped, quickly searchable data), the RESTful API ensures existing workflows are maintained and minimizes training, and virtualizing monitoring and analytics solutions enables the speed and flexibility to deploy required solutions on-demand.

The standard, open platform approach allows for maximum agility and has the potential to deliver the same benefits enterprise datacenters have realized through virtualization: rapid deployment, massive flexibility, operational efficiencies, and huge cost savings.

By John Attala, Vice President of Worldwide Sales, Endace