Fatal half-measures in incident response

According to our tenth annual Global Information Security Survey (GISS), conducted by PricewaterhouseCoopers, many of the 12,052 business and technology execs surveyed reported that their organizations fell victim to a wide selection of breaches.

However, having the ability to investigate and respond to incidents can have a profound impact on security effectiveness. Not only can an investigation help show that the damage from an attack has been blunted, but can be used to discover when attackers are still likely present on networks, identify their motive (is this an opportunist attack, or are they targeting something specific?), and can help to fight future attacks.

"An investigation can uncover if attacks have ex-filtrated data, such as having cracked administrator user password hashes, or if they have access to your network through some type of remote access service," Horne says. "If you don't investigate, you could be dealing with an incident where you've lost millions of credit card numbers and not know it."

Few would argue that such knowledge isn't powerful. So why hasn't incident response done better, or been taken more seriously at more organizations?

"Incident response is challenging. There are organizations out there that work on it. Part of the problem is that incident response involves many parts of the company, not just IT security," says David Mortman, a contributing analyst at IT research firm Securosis, and former CISO at a major software provider. Many of those additional roles that should be involved in incident response can include business executives, telecommunications managers, physical security managers, as well as additional aspects of IT such as database admins, and application teams, who, collectively, don't get much practice at responding to security events as part of their day-to-day duties.

To make certain those groups attain familiarity with each other and how to properly respond to security breaches, Mortman says he would often run tabletop incident response drills. "We'd perform a live drill where we'd scenario servers being taken offline, or other scenarios. During these drills we'd learn were communications and expectations could break down during real events," he says. "It's absolutely critical to practice these incidents because anything that falls out of the expected range of daily events tends to throw people for a loop," he says.

Shackleford agrees. "People tend to stink at response. It's because, in a large way, they don't practice. They don't know what to do. That's the thing many people can't get their arms around. If you have a dedicated response effort, you actually have to consistently dedicate time to it so that you have a workable plan. And you practice that plan. And when something happens, you know what to do, and to people trained, and you'll have the tools in place to respond properly," he says.

Sounds elemental, and it is. "If you can't detect and respond, your IT security efforts certainly aren't world class," says Mark Lobel, a principal at PwC. "It raises the question: are companies ready for the current game? The game has long been prevent, detect, and respond. But I think the game has evolved to detect, contain, and repeat," says Lobel.