Incident Detection Needs to Account for Disruptive Technologies

Last updated at Mon, 28 Oct 2019 17:11:13 GMT

Since InsightIDR was first designed, there has been a noteworthy consistency: it collects data from your legacy networking infrastructure, the mobile devices accessing your resources, and your cloud infrastructure. This is because we believe that you need to monitor users wherever they have access to the network to accurately detect misuse and abuse of company resources, be they malicious or negligent in origin. This doesn't mean tiptoeing around employee privacy, but it does mean that you have to assume that a productive workforce is going to continually adopt new technology.

Monitor the established

No monitoring or detection solution can help your organization contain attacks if it isn't flexible enough to collect data from your organization's more traditional infrastructure. This means processing syslog, but it also means creative methods of collecting data from Microsoft applications that don't support syslog output, and it means creating both low-bandwidth dissolving agents and continuous agents to collect data from the many endpoints that attackers and malware target.

It is not about collecting all of the data, but rather collecting all of the relevant data. While your organization has likely virtualized a great deal of its server infrastructure, it is probably not approaching a point where servers and endpoints have been abandoned, so effective detection needs to monitor it appropriately. Once InsightIDR is set up to do this (in a few hours), a lot of value is added via attributing all activity back to the actual users responsible and using this to separate the normal from the anomalous.

Monitor the disruptive

We have almost reached a time when it feels strange to label BYOD and cloud as "disruptive", but there are a great deal of organizations that are still coming to terms with the tremendous value they inevitably bring. There are a lot of point solutions out there that help you monitor one or the other in isolation and there is good reason: attackers are looking for any way into your network. Whether it is by leveraging WordPress to launch malware, cloning a user's mobile device to gain access, or exfiltrating stolen data to Dropbox, attackers have embraced disruptive technologies, so effective detection needs to do the same.

Each vendor is different, but as customers of enterprise cloud applications, we need to demand administrative tools like auditing, at a minimum. As an employee, I don't want to go back to a time when I had to put down my mobile phone and get on the VPN from a PC to securely share a file with a coworker. Given my experience in the security market, I am guessing that a great deal of your workforce feels the same, minus the "securely" qualifier. InsightIDR was built to monitor activity on connected mobile devices and in your organization's cloud applications. Every major cloud solution vendor has recognized the need for its customers to monitor their cloud infrastructure just as they would their internal servers and devices.

Combine for the full picture

Point user behavior analytics solutions to monitor your legacy infrastructure or mobile devices or cloud application bring value, but they also bring more work. We believe that you need to monitor and correlate activity across all of them if you want to reduce the noise and effectively detect today's attacks. Collecting data in separate silos leads to more alerts and longer investigations to close them. Start with something as simple as recognizing where in the world a user is: VPN data can tell you this and some solutions tout the ability to detect a user with simultaneous VPN session from two points on the globe, but isn't that an edge case? If you see where a user was when connecting to Office 365 and where their mobile device was recently connecting, you can detect a problem when the first VPN session is established from the other side of the globe. Expand this model to scenarios other than geo-location and you can detect incidents faster and apply enough context to quickly understand what caused them to significantly shorten your response times.

If you work in a modern organization and want to effectively detect incidents across its resources, please contact us to schedule an InsightIDR demo. I think you'll find it very flexible.