Thursday, January 09, 2014

Moving beyond incident identification

I made a few IT security predictions for 2014 last last year, but I want to highlight item number 3 as it's become particularly relevant:
"Security departments will shift their focus from incident identification to incident reaction and management"
We're only a week into 2014 and the two highest profile IT security stories so far are related to incident reaction and management (a.k.a. response).

While the acquisition of Mandiant by FireEye technically completed in 2013, it was only announced in 2014. To quote the New York Times article:
"Mandiant is best known for sending in emergency teams to root out attackers who have implanted software into corporate computer systems."
The other piece of news was that Bruce Schneier has joined Co3 systems. In his own post on the matter, he states:
"...there have been many products and services that focus on detection, and it's a huge part of the information security industry. Now, it's time for response."
The true value in security monitoring, and by association Security Information and Event Management (SIEM), lies in moving beyond incident identification/detection. SIEM technologies have become much better over the past few years at using data analysis techniques to translate raw data and events into useful information that security departments can understand and hopefully act on.

Unfortunately, few organisations have the resources available to react to incidents adequately and in a timely manner let alone attempt to manage them. Incident identification/detection without the ability to respond is akin to having an alarm on your house go off that only your neighbours can hear. Even if they are around, how many actually care enough to do something about it?

The best alarms don't make any noise, but lock the house down so that no one can leave while simultaneously sending an alert to have a professional incident response team dispatched to the premises to deal with the threat while the incident is in-progress. Of course, it would have been better if they hadn't been able to enter in the first place, but we'll leave access management discussions for another day. Security departments need to work on the presumption that bad guys will get in somehow.

While the latter option sounds more like a military operation, it's how organisations need to be thinking about security incidents in 2014. At the very least, security departments need to have properly thought out, documented incident reaction and management procedures that anyone can follow with minimal training. While not every incident response person can be the IT security equivalent of a Navy SEAL, at least have a security guard on staff and augment with external assistance by using tools or service providers.

As I said in my predictions article:
"The focus when dealing with threats up to this point has been on the identification of them. Vendors spend large sums of money expounding the wonders of their tool’s collection and analytical abilities. It has become a game of “my feature is better than your feature” and “my analytics are better than your analytics”. Ultimately, it is pointless identifying a threat when there is no path forward to manage the incident, deploy the appropriate responses and counter the threat through remediation."

No comments: