Data On Demand and At My Fingertips


In a world of consumerism we crave ‘on demand,’ instant gratification. Whether it’s a TV show on Netflix, a new gadget from Amazon, a ride from Uber, or pizza from our favorite restaurant, how quickly we can access what we want often dictates how highly we value the service or product. Let's be honest, waiting is hard.

The same can be said for how we use and protect data, and it’s led to a noticeable change in how security alerts and remediation are handled.

Satisfying the Pleasure Principle

According to Freudian psychology, humans are controlled by a driving force called the pleasure principle that compels us to gratify our needs, wants, and urges at a subconscious level. This force can often lead to security issues as the ‘act first and think later’ mentality kicks in; for example, driving us to click on unknown links in emails and infect our devices with malware.

That’s an area we can get into in another blog post. What I would like to focus on is the role of ‘on demand’ in cybersecurity.

Our security solutions generate alerts, often at an alarming rate, overwhelming even the most effective security teams. An oversaturation of alerts leads to delays in handling them, triggering the negative half of the pleasure principle reaction.

Thankfully, the emergence of security orchestration, automation and response (SOAR) has allowed us to to better deal with alert fatigue through the implementation of playbooks that augment and streamline the workflows of security operations teams, dramatically reducing the volume of alerts and false positives while speeding up response.

Inevitably some alerts will require a deeper manual inspection and time is always of the essence.

Phone fingertips
Thanks to smartphones and other technologies, we expect everything to be ready and at our fingertips. Photo by Rodion Kutsaev on Unsplash

Right to the Endpoint

Security analysts and incident responders need on demand access to endpoints across the enterprise so they can make quick and informed decisions about the severity of the incident. Time is short and it is critically important that our endpoint detection & response (EDR) solutions provide full visibility and control across every endpoint so we can triage devices and conduct real time, enterprise-wide forensics.

Solutions like Nuix Adaptive Security provide enterprise-wide triage capabilities, but also enable us to seamlessly take the next step to a full blown forensic investigation.

With these tools, we truly have data at our fingertips.

Assume an alert is generated by a rogue process. Our first step might be develop an event timeline and understand the behaviors of this process. For example, what files has it written? What registry keys has it modified? What netflow is it responsible for? What sub processes has it spawned? This can all be established at a click of button. And the next button you might want to click will be to isolate the infected endpoint from the network— all done on demand!

In parallel we need to determine how far the incident has spread across the enterprise, but we don’t have time to scan all endpoints or forensically collect and analyze logs from multiple devices. Instead, we can search the enterprise in real time for our newly found indicators of compromise (IOCs) and automatically remediate responsive endpoints. Again, our EDR solutions must deliver this in real time and on demand.

Finally, we might want to dig a bit deeper forensically and inspect some additional data, such as log files or network captures. This is where it’s important to have an EDR solution that can seamlessly move from triage to forensic collection and investigation. Nuix Adaptive Security can be configured to automatically deploy forensic collection templates so you can collect your favorite forensic artifacts on demand. This means all those fantastic SANS Digital Forensics and Incident Response posters can be wrapped up in an enterprise-wide collection template/s, giving you access to the data you need … you guessed it ... on demand.

Waiting is hard, especially for humans who want by their nature to satisfy their own pleasure principles, but waiting is also damaging and costly in the world of cybersecurity. In this age of consumerism, it's important that our security solutions also deliver on demand, timely results … without compromise.

Security & Intelligence
Posted on January 8, 2019 by Stuart Clarke