Leveraging Starburst Galaxy for security incident response
Keavy Murphy
Senior Director of Security
Starburst
Keavy Murphy
Senior Director of Security
Starburst
Share
More deployment options
A robust incident response program is a key component of a business’ cybersecurity and risk management strategy. The speed of investigation is of paramount importance — delays can lead to regulatory fines, reputational harm and costly system damage.
Data analytics is an effective tool in incident investigation and triaging. Read on to see how Starburst Galaxy can be utilized as a building block in your organization’s incident response program.
Query sharing with Starburst Gravity
The rapid resolution of a security incident is critical to the livelihood of your business. Time is of the essence when evaluating a potential security incident or breach and data analytics can play a crucial role in effective response and remediation.
During a confirmed incident, collaboration with stakeholders is necessary to ensure speedy mitigation, and Galaxy provides the option of query sharing. The “share a query” tab function makes it easy for you to do investigations, in tandem with other security analysts, to ensure simultaneous and timely analysis of data. This feature enables you to increase the investigative power you have, following a high pressure security event.
In addition, the Starburst Gravity feature offers the opportunity for streamlined sharing. When the Gravity feature is leveraged, data investigations occur at lightning speed, and the ability to share critical data with relevant stakeholders is easy. Use Gravity to improve the amount of collaboration between the security team and other incident response stakeholders.
Starburst Gravity: Discover, govern, and share
Gravity is a universal discovery, governance, and sharing layer in Starburst Galaxy that enables the management of all data assets connected to Galaxy
Incident post-mortem assessment with data visualization
A key part of any effective incident response program is the incident post-mortem assessment and lessons learned exercise. It is often during this time that relevant metrics and reports are prepared for executive leadership and for the board.
Sifting through extensive data and query history is not constructive for the C-suite, so it is critical to keep the data as simple and straightforward as possible for the executive audience. After an incident, Galaxy allows the opportunity for you to create a data visualization storyboard and create comprehensive dashboards for executive stakeholders and the board.
Eliminate worry about compute sources with Autoscaling
During a high pressure incident, security professionals do not have the bandwidth to worry about compute sources. Fortunately, Galaxy offers you the ability to enable cluster auto scaling, which means that you can scale up your compute sources on an automatic basis in order to meet the ongoing demands of your queries. Unlike AWS Athena, the Galaxy platform allows you to effectively scale up and down when needed to ensure a smoother incident response process. This allows security professionals to stay focused on the task at hand – expeditious incident investigation.
Eliminate fail rates with Fault-Tolerant Execution
Responding quickly to ongoing or active threats can be one of the most high pressure situations a security team will face in an organization. In order to conduct sufficient analysis on data, long, running queries may need to be executed by the security team.
When utilizing Galaxy, fault-tolerant execution is an option, which means that query completion is insured. Unlike AWS Athena, Galaxy customers know that the data analytics that they are performing are reliable, and will not be interrupted during a high-pressure incident.
Identify actionable incident alerts with Data Products
The need to protect critical assets and maintain the security of services means that a robust and mature incident response program is needed. A business with a solid security posture knows that their incident response plan should exist before a security event or data breach occurs. The security department at your business should include the use of Galaxy for data analytics as part of their incident response program. Galaxy makes the investigation process easier via the use of the Data Products function.
In order to ensure timely investigations can occur without interruption, data products can be set up ahead of time as a proactive investigatory measure. Therefore, if an incident does occur, high-quality data sets can be used immediately, to increase the discoverability of incident data.
Conduct a quick data assessment with Warp Speed
A delayed security response can lead to significant consequences for a business. Urgency is critical to ensure appropriate evidence collection of security events and to comply with international incident regulations.
The Warp Speed feature in Galaxy enables a quick assessment of data and also permits caching of what already has been queried. The Warp Speed function is useful because it allows for accelerated query processing performance. Data is available for fast analysis during a suspected security incident.
Tabletop Exercises for analytics of data if a legitimate incident or event occurs
Security professionals know that table top simulations are key for proactive incident response preparation. During the annual incident response tabletop drill, the security team should make sure that the steps for a breach response include the utilization of the Galaxy product. All security team members should be trained on the Galaxy platform, so they are aware of their responsibilities during a legitimate incident or security event. This proactive measure means that all security team members will understand how to use the Galaxy platform should a security event arise.
During the simulation exercise, the facilitator should guide the participants through the Galaxy query process, so the security team will know how to utilize the Galaxy platform for analytics of data if a legitimate incident or event occurs.
Audit logs for regulations and insurance claims
The ability to demonstrate that investigation was immediate, is important for complying with international regulations such as GDPR and for initiating cyber insurance claims.
In Galaxy, an audit log is available to convey all administrative actions performed by users within a Galaxy instance. This allows users to view the time of change and the details on a specific change. These logs can clearly demonstrate to security regulators when and where an investigation occurred, meaning a security team can evidence, if needed, that they conducted timely data analytics in line with international laws.
When incidents occur, cyber insurance is often a key control that a business uses to rebuild. Cyber insurance claims require evidence of loss and investigation. Logs can be provided if a cyber insurance policy requires evidence in order to make a claim.
The audit feature is also useful, if discovery must be conducted as part of an incident litigation process. Logs can be provided to legal counsel indicating that investigation was conducted.
Breach notifications for regulatory compliance
Some data protection laws require that businesses provide notification of data, breaches or security incidence. For example, GDPR requires alerts to supervisory authorities “without undue delay”. This means that violations of security incident notifications can be quite costly for a business when a data breach occurs.
Leveraging Galaxy for data analytics allows you to investigate incidents in a timely manner (especially with the use of the Warp Speed function), and therefore, have the ability to disclose information on a data breach or security incident in line with GPR or other data privacy regulations.
Starburst Galaxy for security incident response: Minimize downtime and adhere to compliance
Security incidents can damage an organization’s reputation and cause strife among your user base. Rapid response is critical to maintain the trust of your customers, to minimize downtime, and to adhere to compliance requirements. With the use of Starburst Galaxy, data analytics can be conducted, efficiently and quickly.
The ability to access all of your data in modern formats, and across regions is a sound decision for any security team.
Starburst Galaxy: Audit logs for regulations and insurance claims
Show your work and demonstrate that investigation was immediate