According to Gartner, 99% of vulnerabilities exploited have been known for at least one year. Even worse, if attackers successfully penetrate an organization it takes the IT teams on average 10 weeks to contain the incident. This leads to huge reputation and financial damage for many organizations
So why does this happen? Think about the enormity of what an IT team faces today with, on average, 4,000 cyber-attacks a day. Many of these attacks target the endpoint as they are the weakest link, and are de-facto employees, introducing human vulnerability to the equation. And this challenging equation includes the morphing perimeter used in many locations, on many devices, outside the corporate network.
This environment, which is only becoming more challenging, require investigation to determine the severity and impact of the organization. Once investigated prioritized incidents need to be passed to the IT Operations team for remediation.
However, most IT Operations team cannot respond fast enough. They have many competing priorities from business, security and constant upgrades. Their outdated tools designed for policy and process control make them unresponsive, and slow. An entirely new process is needed, with a virtual SecOps team, enabled with better capabilities than the bad guys. What will it take to get to this capability? We have to acknowledge and address, three big, current, gaps:
First, IT Security needs improved investigation capabilities, with complete and accurate data from all endpoints in real-time. They also need the organizational context to understand the business impact of each incident.
Second, they need to be able to remediate effectively, with IT Operations rapidly and safely making changes to all endpoints. These changes must be scale-able, with no need to compromise. Importantly, these actions have to integrate with set policy and existing tools to ensure there is no negative impact on overall operations or end-user experience.
And thirdly, this needs to bridge IT Security and IT Operations to cooperate effectively. This gives Security the organizational context, and Operations have the Security insights to seamlessly investigate and remediate incidents in real-time.
This means re-defining endpoint remediation. We need to up our game for not only investigation but remediation, with these new capabilities:
The ability to Investigate in Context, so you Interactively investigate incidents at all endpoints (should be in 5 seconds or less), and this needs to scale easily across 1.5 million endpoints no matter where they are located. And you need to be able to enrich and target your investigation with organizational context to understand impact and scope of the incident – this is critical for prioritization.
You must be able to Remediate all Endpoints; this means integrating role-based change management (e.g. ServiceNow) to run instruction in real-time on your endpoints. This provides context to safely and completely remediate with organizational context to avoid impacting the business or the end-user experience.
Organizations must learn and update with Continual Learning and Automation. The IT Ops and Security team capture and share incident resolutions to enhance organizational learning and build new instructions easily with integrated development tools.
This is a whole new level of efficiency from leveraging role-based and automated execution of resolution that is integrated with existing processes and tools (e.g. ServiceNow, SCCM).
1E Tachyon allows security and operations teams to investigate incidents in context, remediate across all endpoints and add resolutions to the organizational knowledge of the organization so they can be automated in the future.
Find out more: /products/tachyon/
For much more on real-time remediation, and the difference it can make to today’s IT operations and security teams, check out this exclusive SANS-1E webinar with Andy Schmid (SVP Product, 1E) and Jake Williams (Senior Analyst, SANS).