Enterprises already have the technology in place to identify malware, but recognizing a malevolent cyber-incident is only half the battle.
Responding to and evaluating the actions of malicious code are crucial next steps businesses have to take to protect their networks, and some network security vendors have begun backing their advanced malware detection offerings with cyber-security services to help their customers before and after an attack.
Regardless of whether an enterprise has the resources in place to efficiently respond to every incident or not, an extra set of eyes never hurts when it comes to a security breach, said John Pironti, president of consultancy IP Architects LLC.
Cyber-security services: Help before, during and after the fact
Sourcefire, a Columbia, Md.-based cyber-security provider recently launched Incident Response Professional Services, aimed at assisting enterprises with diagnosing and remediating attacks using Sourcefire's malware protection technology -- like FirePOWER and FireAMP -- said Oliver Friedrichs, senior vice president of Sourcefire's cloud technology group.
Unlike other cyber-security services that help with detection and blocking, Sourcefire's vendor-agnostic incident response services will help the company's new and existing customers make more informed security decisions across the entire advanced malware lifecycle, Friedrichs said.
More on cyber-security services
Websense launches cyber security intelligence services
Cyberthreats affect banks worldwide
U.K. government launches cyber-incident response service
The service can be completed in three phases: the identification of an event, stopping an in-progress attack, and the deployment of countermeasures to prevent future occurrences. "We can roll out countermeasures to existing Sourcefire security devices in the last phase, or the new user can choose to deploy a [Sourcefire] device -- like a network intrusion prevention system or an endpoint advanced malware protection product -- at this point and we will add the countermeasures to those devices," he said. Customers deploying Sourcefire's hardware will reap the full value of the incident response service.
As a fourth step, Sourcefire offers countermeasure validation to ensure the protection measures are functioning correctly and are stopping not only the initial attack witnessed, but variations and similar incidents, as well.
Sourcefire's Incident Response Team will act as an extension of the user's security team, and expedite the incident response process, IP Architects' Pironti said.
While several vendors have the analytics expertise required to fix a system or security breach -- like Mandiant – Sourcefire's cyber-security services combine its security data analytics capabilities with malware protection products, said Jon Oltsik, senior principal analyst for Enterprise Strategy Group.
"[Sourcefire] can understand what systems the user has in place, the behaviors of those systems, and will be able to streamline an incident investigation because they don't have to start from scratch," he said.
Cyber-security services: Not just for SMBs
Even large businesses and companies with strong security infrastructure in place -- like government agencies -- may not have strong resources in place for incident response, Oltsik said.
"Many users will know something is wrong, and they may even know they have been attacked, but they most likely won't know how to isolate the systems that are compromised, or what those systems did once they were compromised," he said. "All of that information is very important for remediation activities."
Enterprises need network security vendors to do more than discover what an attack has done and correct it. They also want protection against a similar security breach in the future, Pironti said.
Enterprises need intelligence into their own specific environment, including the knowledge to make better security-related decisions and where to put resources in place -- rather than just having security products in place, he said.
"Time is important in anything security-related. The faster businesses can figure out how an incident has affected them, the faster they can correct the problem," Pironti said.
While a business or agency with a mature security and incident response team in place may not benefit as much as other users might, there is nothing wrong with bringing some third-party knowledge to the table as malware becomes more sophisticated.
"[Businesses] need a deeper knowledge and expertise into what is going on every day, as malware is constantly changing," Pironti said. "Not all enterprise IT security programs are able to staff to meet these needs."