Immediate is Too Late: Modern Incident Response Begins Well Before the Incident

June 10, 2024

When security teams uncover a breach, time is of the essence. Incident response teams spring into action to gather as much information as they can about the breach, map out precisely what was compromised and how it happened, and to work with security leadership to improve the security profile of the exploited threat vector.

Or at least they used to. Highly automated attacks are able to prosecute vulnerabilities in minutes. In 2011, the median dwell time adversaries spent inside a system before being uncovered was 461 days. Today, that dwell time has only been cut down to about 277 days. In the intervening period, attackers’ sophistication has skyrocketed and many elements of the attack have become highly automated, rendering traditional reactive SIEM to be obsolete. The recipe for success yesterday is a guarantee of failure tomorrow.

The best organizations are those who not only responsive, but thoroughly prepared in advance. Heightened real-time awareness of identities, accounts, access, entitlements and privilege gives a SIEM tool a chance to understand what just happened. But the critical information for incident response comes from being able to see and understand the history of these identity elements. That comprehensive record could flag every account that had the access or privilege needed to do the deed.

The problem for most organizations is that very few have the current situational awareness to see and understand their identity security posture and even fewer have the ability to rapidly sift through the vast mountain of data to guide a rapid incident response. Overall, while SIEM solutions play a valuable role in IAM by providing visibility into user activities and access controls, organizations may need to complement them with dedicated identity security posture management (ISPM) and identity detection and response (ITDR) solutions to address specific identity management requirements, such as granular access control, identity hygiene management, and full visibility of human and machine accounts. Properly integrating SIEM with IAM platforms can help organizations achieve a comprehensive approach to identity and access management while leveraging the strengths of both types of solutions.

Hydden is at the forefront of this wave. We’ve spoken elsewhere about Hydden’s industry-leading ability to capture and track identity and access data and to enable organizations to practice true identity security posture management (ISPM). That very same data, comprehensive and detailed, pairs with our lightning fast and highly flexible data query capability to provide SecOps teams the critical information they need within seconds.

No one has ever suggested security is easy, but identity is an especially complex terrain that requires merging data from multiple disparate systems and blending them with highly dynamic contextual information about and individual’s (or system’s) current need for access. For any system to characterize the highly complex environment, it needs to be architected to have tremendously flexibility, but it must also have little to no impact on the systems it is monitoring. This is no easy task, but this is also why Hydden stands out.

Automation in the attack demands heightened awareness and highly organized data. As automation becomes more pervasive for attackers and defenders and timelines compress, incident response will depend even more on thoughtful preparation and management, especially in identity.