The following short Q & A is excerpted from the recent podcast interview with Michael Malin, executive vice president and chief financial officer of MANDIANT, and Dave Merkel, vice president of products. Dave Merkel is currently working on advanced and continuous threat and Event Response security research.
What measures can enterprises take to actively defend against advanced and continuous threats (APT? What should I do after being attacked by APT?
Dave Merkel: This is a tricky issue. First, let me talk about some ineffective practices: if your information security plan is completely rule-based, and you try to mark some criteria in some entities, you may not be able to prevent such attacks. If your security plan lacks technical experts in terms of quality to manage infrastructure and continuously improve basic technical solutions, if you are considering investment in prevention and investigation, then you never have to worry about response measures, because you are the primary attack target and may face many problems.
We have found that companies that are most successful in dealing with such attacks understand the security levels they actually obtain from their infrastructure, so they remain vigilant for the right measures afterwards. How many companies have bought IDS and asked them to run the IDS without looking at logs or considering data analysis? Shouldn't they make any rational thoughts on the information generated and collected by the system? This is common.
We found that many companies have become the target of attacks. In terms of the defense industry, we have seen many APT behaviors. This is understandable. Let's see how this organization is working: they exchange information with each other, and they actively participate in the discussion of threats, they are actively looking for new sources of intelligence. They are alert to their infrastructure and realize that only by doing so can they completely stop attacks. This mentality is essential for you to succeed in management, because you cannot perfectly defend against threats from these attack Organizations, which is similar to the situation when you face other risks. What these companies are doing is a good thing.
Mike Malin: I think one thing we are doing is to handle the accident response, whether or not we are dealing with APT. If APT has already happened, we recommend some common measures: Do not panic, observe and take actions to determine victory. This means: Through this monitoring measure, what do you really want? Is scanning at the micro level of the enterprise, or does it really need to check the entire enterprise and understand the real situation of what you are trying to do? The last thing I want to talk about is to return to the most basic principle: you need to spend a lot of energy to have a series of powerful security solutions. What we can see now is that you 'd better have the security response capability, because you are likely to be attacked.
- Develop and implement Network Security Event Response plans
- Discussion on Event Response Mechanism: merging SIM and IAM Systems