<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=314913&amp;fmt=gif">

You’ve Got 99 Problems and Structured Incident Response Ain't 1

Matt Reid
October 25, 2017

Organizations have undoubtedly invested in a myriad of detection and protection tools over the last decade, but are they reducing risk with all these tinker toys?

It depends; some are checking the box for soft auditing, while others are working hard building terrific programs to protect the business in today’s threat landscape. From my perspective, as one of the folks who gets mobilized to mature tools and notice which business processes they protect, I see things getting better. But there’s another side of the problem we’re not talking about enough.

The good guys have it bad

Several times each year, cybersecurity vendors and companies issue threat digests and reports. Symantec and Verizon led the way for years, but now many companies are offering their perspectives on what’s happening on the ground. Between the reports and the deluge of data, the shifting and evolving tactics, how can anyone tell if it’s getting better or worse? 

Unfortunately, we are living in an “assume compromise” world. It’s completely unfair that it is much cheaper and simpler to be the bad guy, compared to the good guy. Anyone can buy an attack kit on the dark web and unleash it with little actual hacking experience, but the defender has to invest serious budget in different controls just to be a company with employees and customers in this highly connected world.

Is it just the one data breach, or ...

If you are Fortune 500 or larger, there shouldn’t be an excuse for a “legitimate breach,” nor for a series of them against a single organization. For years now, we have understood these cyberheists to be like the animal kingdom, where the alpha predator takes down the weaker animal and feasts on the sweetest meats. Then the opportunistic, lesser predators work in between, doing their thing.  The same occurs in the cybercriminal community.  The alpha predator may have been successful with major exfiltration, so they tip off others to come feast and perhaps throw down some ransomware for a smaller grab.  Or ransomware could have been out in front as the first step, the distraction to accomplish the exfiltration of a bazillion records. Whether the victim organization even knows or plays by the rules to disclose it legally, companies large and small are being eaten alive. In these times we should accept compromises, but we mustn’t accept a terabyte of personally identifiable information walking out the door.




Weaponize what you already own

Companies own 80 percent or more of the tools and technology they need for external threat defense and internal threat offense, but the signal to noise ratio is way out of whack. Unused features, false positives, lack of integration, and broken business processes all make this an overwhelming tidal wave, difficult for analysts to sort through and challenging to prioritize. Few understand the business context and interconnectivity of all enterprise assets, which are often separated by silos in the organization or within IT, which inhibit collaboration. 

Despite all our tools and technology, when a priority incident occurs, or a critical vulnerability is identified, we are resolving and remediating at people speed. And while we are mired in this collaborative complexity going from console to console, a spreadsheet to word doc, email to a phone call, we are losing time. The critical time to detect indicators of compromise and potentially stop an attacker is much earlier in the kill chain. This is “unstructured response,” and it is just as important as the investment made in protection and detection.

Respond with purpose

A SIEM gives an analyst an alert. If this is an asset that runs crucial business applications or processes, the first responder needs to know that right out of the gate.  Seeing all dependencies and factors related to the item, including known vulnerabilities or other open incidents, make it possible to work with others already engaged.  Once IT and Security teams can work from one system based on a solid CMDB, we can pull the pertinent data into that system where incidents are routed and automatically assigned to the right people and teams. From there, predefined workflows can ensure that a framework like the NIST CFF is followed. The analyst could then take the SIEM conviction and search for other indicators of compromise.  If the incident pertains to loss of PII, legal, HR and even law enforcement contacts should be available, so all bases are covered.  Sounds great, right?   The harsh reality is few companies have this level of operational maturity today, but many are mobilized to address it.

Robots gotta eat, too

Organizations are desperate for the essential functionality to better facilitate in-house incident response.  And, once an organization is closer to honoring their SLAs with an actual structured response, we can now automate things.  We can deliver new levels of value and efficacy with automation of mundane or repeatable time-sucking tasks that can be orchestrated with pre-defined decisions and actions.   Not to worry, we’re not taking people’s jobs, but rather freeing them from the previous era’s job responsibilities, clearing the way for a more relevant role in the battleground.  We’re finding that organizations want to evolve their teams to be more effective and the people want to be valued and have a quality of work life.  Let's save the humans for the hard stuff that requires complex awareness, judgment, and feelings.

Incident Response Organized



Subscribe by Email