Why rapid attack containment and a short remediation cycle matter
When a new threat gets in the environment, a security incident could unfold very quickly. Detecting the compromise and taking control of the infected endpoint fast is not only critical to preventing the spread of the threat, it is also vital to shrinking the remediation cycle time and cost.
Lessons learned from the ‘Andromeda Strain’
It only takes a single unknown threat getting a foothold in your network for a damaging incident to cause immeasurable harm to the business. Next thing you know, you’re living Michael Crichton’s “Andromeda Strain,” battling a contagious virus you don’t fully understand. And, like Crichton’s protagonists, you know that the longer you allow the threat to run wild, the more havoc it will wreak.
A little fun fact: when Crichton unleashed his fictional extraterrestrial virus bent on destroying Earth in the “The Andromeda Strain” 50 years ago, the best-seller launched his blockbuster career. The deadly outbreak in the novel started when a military satellite introduced the virus from space, leading scientists on a hair-raising quest to contain it. Andromeda killed nearly instantly. If it didn’t, it wouldn’t be worth a movie and a series years later, after all.
Destroying the mutating Andromeda microbe was a matter of life or death. Containing a rogue endpoint? Maybe not. But with every hour or day, an infection that roams inside your network is driving up your remediation costs. As the attack’s footprint grows, so does the potential of escalation to a full-blown data breach.
‘Time to remediation’ the new name of the game
The days when mean time to detection (MTTD) was a top cybersecurity KPI have gone the way of legacy AV. Certainly, fast detection is imperative. But that’s not your inflection point. Especially if you’re finding yourself in an Andromeda-type scenario where you have no idea what you’re dealing with.
The containment phase is where you can start taking control from the bad guys and limiting the damage — and avoiding a long, expensive remediation cycle.
In our annual CISO benchmark survey, the number of respondents using MTTD as a metric has decreased from 61% in 2018 to 51% in 2019. For 48% of CISOs, mean time to remediate (MTTR) is the top indicator of cybersecurity posture, compared to 30% in 2018. This shift in focus to rapid incident response and mitigation indicates a strategic change, but a SANS incident response report suggests that it’s also a struggling point. Although 53% of the SANS respondents said they detected incidents within 24 hours, it took the majority (61%) two or more days to remediate.
Turning the table with Cisco AMP for Endpoints
The majority of security incidents, as well as data breaches, involve either malware or an evolved form like ransomware. SANS found that for 37% of organizations, containment takes at least two to seven days. How much mayhem can malware cause in that window? Think WannaCry.
With Cisco AMP for Endpoints, you can rapidly contain the attack by isolating an infected endpoint, so you can stop the threat from spreading. Drastically reducing the footprint of the attack, you can accelerate incident investigation and response, while shrinking remediation costs. Here’s how it works:
- From the endpoint connector, isolate an infected endpoint through the cloud console.
- The endpoint is removed from the network while maintaining communication with the cloud console — you have complete control of the host and the logging and forensic data.
- Automatically trigger endpoint isolation through automation APIs.
- Quickly reactivate the host once you return it to a clean state.
Dealing with the ‘comeback kid’
Threat actors, sadly, don’t take a hint. Like way too many movies and TV shows from the ‘90s, they keep coming back.
Your job is to successfully contain and clean up an infection. The attacker’s “job” is to keep trying. In fact, in the SANS survey, 26% of respondents said they’ve been breached by the same actor more than once.
The challenge is two-fold. On one side is the increased threat complexity. On the other, according to an ESG Research survey, is the heterogenous nature of the defense tools and the manual processes. The survey found that 76% of security pros felt that threat detection and response is more difficult now than two years ago, primarily due to the volume and sophistication of the threats. Almost half agreed or strongly agreed that the process and tooling around detecting and responding to threats are limited, with 64% identifying manual processes as the challenge; and 66% struggled because of the multiple independent point tools.
A few highlights of how Cisco AMP for Endpoints can address these challenges:
- Delivers prevention, detection and response capabilities in one solution.
- Helps you respond to incidents in hours instead of days or months.
- Enables you to proactively hunt for the riskiest 1% of threats.
- With retrospective security, it blocks threats as soon as they begin to act maliciously, even if they seemed benign when they entered the endpoint.
- You only have to spot a threat once — with our shared intelligence and integrated security architecture, it is blocked anywhere else across the environment.