4.3 CTI Role in Incident Response Part 1

00:00

Hello. Hello, everyone. Welcome to another video of the introduction to Cyber tracked intelligence. This time we're going to start reviewing the incident response team capabilities and how cyber Threat intelligence can help all its tasks.

00:16

The response team is one of the most demanding teams to be part of because most of the time you have to attend an emergency in which there might not be the necessary security Contra. Lt's in place on containment because I really hard task to achieve.

00:32

James Douglas has a very accurate quote, and that is

00:36

care shouldn't start in the emergency room.

00:39

And it can be applied perfectly for these units, since Indian response is all about emergencies.

00:46

Awful security groups, Indian response teams are perhaps the most highly stressed. Among the reason for these. We can point of that. Cyber security incidents have increased constantly year by year. Well, it's difficult to be precise about the number off incidents experience by a typical organization.

01:04

There is no doubt that cyber attack volume is growing rapidly.

01:10

According to Sonny Whoa, the global volume of malware attacks increased by more than 18% in 2017 alone. Also, threats have become more complex and harder to analyze.

01:23

When an Indian a curse, security analysts are obligated to manually check and disseminate data from different sources.

01:30

Containment of attacks and eradication has become more difficult, given the complexity of the tax use Nowadays.

01:38

As a result, Indian response teams routinely operate under normals time pressure and often are unable to contain several security cyber incidents promptly.

01:49

Well, some of these growing pressure is mitigated by preventive technologies. Ah, huge additional strain is nonetheless being placed on incident Response Team's because a lot off additional factors

02:02

Indiana Response is not an entry level security function. It requires analysts who have experience in the industry and can be relied upon to perform complex operations under pressure. The amount off alerts reported by security devices overwhelmed security analysts just as much as to the soccer team.

02:22

According to the Parliament cost of Margaret Containment Report, security teams can expect to look almost 17,000 mile were alerts in a typical week. That's more than 100 alerts per hour for a team that operates 24 7

02:38

and those are only the alerts from our incidents.

02:43

Also, when you have to fuel skilled personnel and too many alerts. There's only one outcome.

02:49

The time to resolve genuine security incidents will rice,

02:53

according to an analysis of source data from a recent Bryson Data Breach investigation report. While the median time to incident detection is a fairly reasonable for hours, the median time to resolution it's more than four days.

03:10

Most organizations security groups have grown organically in parallel, which with increases in cyber risk. As a result, they have added security technologies and processes piecemeal without a strategic design in mind. Another important issue is that once an alert is flack,

03:30

even most

03:30

creation remediated and followed us quickly as possible to meaning my cyber risk.

03:38

A typical Indian response process will flow this way.

03:43

First day incident detection. Receiving alert from a, C, M, P. R or similar product

03:49

sickened. Discover,

03:51

determine what's happened and how to respond.

03:54

Third, Dratch and containment

03:58

think immediate actions to mitigate the threat and minimize the damage.

04:02

Fourth remediation repaired damage and remove infections,

04:08

and five

04:09

push to business as usual.

04:11

It means pat past the AI incident

04:14

in order to go back to our normal operations.

04:17

Notice how reactive this process is

04:21

for most organizations. Nearly all the work necessary to re mediate, and an incident is backloaded, meaning it cannot be completed until after an alert is flag. Also, this is inevitable. To some degree. It is far from ideal when Indian response teams are already struggling to result

04:41

incidents quickly enough.

04:45

So

04:46

to reduce response times, Indian Response team must become less reactive

04:51

to areas where advanced preparation can be especially helpful. Our identification of probable treads on prioritization.

05:00

If a meteor response team can identify the most commonly face traits in advance, they can develop a strong, consistent processes to cope with them.

05:11

Thes preparation dramatically reduced the time the team teats to contain in divide individual incidents prevent me steaks on freeze up analysts to cope with new and unexpected threats when they arise.

05:24

Also, not all three threats are equal.

05:29

If Intend Response teams can understand which threat vectors supposed the greatest level of race to the organization, they can allocate their time on versus accordingly.

05:41

It should be clear from our discussion so far that security technologies by themselves can do enough to reduce pressure on human analysts. Cyber threat intelligence can minimize the pressure on Intel Response team and address many of the issues. We have re bean reviewing like automatically and

05:59

identifying. And he's missing false positive alerts

06:01

and reaching alerts with real time context from across the open. And I wept,

06:08

assembling and comparing information from internal and external data sources to identify his genuine threats

06:14

and the scoring threats, according to his organization's A specific needs. An infrastructure.

06:20

In other words, save a threat. Intelligence provides intend response teams with exactly the actionable insights they need to make faster, better decisions. Why holding back the tide of irrelevant and unreliable or dirt that typically make their jobs are difficult.

06:36

So today we covered what problems the NT Andrews Bones team has to face, similar to what the sock teams deals with when talking about alert and a little bit of how the Cyber Threat Intelligence unit is supposed to help remediate these problems.

06:54

They're to keep processes the disabled Threat Intelligence unit AIDS to get done for the Indian response team, identification of probable tracks and prioritization off threats. In the next part, we will review a use case scenario to specific state

07:10

which are December trade intelligent tasks. When an incident is giving, also, we will be covering which are the essential characteristics that cyber threat intelligence provides to the information given to the Incident Response Team.