Incident Response: More Art than Science

Cybersecurity industry needs to establish best practices and open secure channels for incident response communications.

Five to ten years ago, the cybersecurity industry was mainly focused on incident prevention with tools like endpoint antivirus software, firewalls, IDS/IPS, and web threat gateways. This perspective changed around 2010, driven by the Google Aurora and the subsequent obsession with advanced persistent threats (APTs). 

These and other events convinced the cybersecurity community that hackers could easily circumvent standard prevention-centric security controls so we needed much better tools for incident detection on endpoints and the network.

Over the last year or so, the cybersecurity winds have shifted once again. With the onslaught of new detection engines, CISOs need ways to collect, process, analyze, and react to volumes of incident detection data in a timely fashion so they can actually respond to incidents. Why the change? Incident response (IR) is where technology meets humanity as it depends upon the instincts, experience, skills, and methodologies of really smart people. These individuals, and the processes they create, are the essential ingredients for discovering and addressing cyber-attacks efficiently and effectively – at each and every organization.

So incident response is built upon a foundation of brainy intuitive people and their own quirky processes. Unfortunately, this makes incident response more art than science, and lots of organizations just can’t find the IR equivalents of Monet, Picasso, and Rembrandt. This shortfall can lead to lots of IR problems. According to ESG research for example, (note: I am an ESG employee):

  • 29% of enterprise organizations report an incident response weakness associated with performing forensic investigations to determine the root cause of a problem.
  • 28% of enterprise organizations report an incident response weakness associated with performing retrospective investigations (i.e. historical investigations) and remediation to determine the scope and sources of an outbreak.
  • 27% of enterprise organizations report an incident response weakness associated with analyzing threat intelligence to detect and respond to security incidents.
  • 26% of enterprise organizations report an incident response weakness associated with determining which assets (if any) remain vulnerable to future attacks.

Recognizing the array of incident response weaknesses, the cybersecurity industry is now responding to this growing opportunity.  There have been a few acquisitions in this area like FireEye’s purchase of Mandiant and Proofpoint’s grab of NetCitadel.  Burgeoning IR requirements is also creating the integrated cybersecurity orchestration platform (ICOP) market with products from the likes of CSG Invotas, Phantom Cyber, and Resilient Systems.  Finally, firms like IBM, RSA, and Symantec are elbowing their way into the lucrative IR services market dominated by Mandiant.

All in all, everyone seems anxious to address IR deficiencies but we are just scratching the surface.  In my humble opinion, the cybersecurity community needs a much broader collective IR effort in areas such as:

  1. IR best practices.  Since IR is anchored by people, organizations seems to have their own nuanced set of processes, analytics, and automated responses.  Okay but this, “every man for himself,” philosophy isn’t really helpful for the community at large.  I’d like to see a public/private research project (i.e. NIST, DHS, cybersecurity vendors, etc.) to really study and uncover what works best, how organizations, mature their IR practices, over time, and all types of insightful lessons learned.
  2. IR education.  Universities and colleges are jumping on cybersecurity bandwagon but most offer extremely general degrees that include things like basic networking, access controls, and cryptography.  What’s needed here are much more specific programs for incident responders.  Symantec’s cybersecurity simulation and recent acquisition of Blackfin Security are a step in the right direction.  I’d also like to see more public sector participation from experts in the armed forces, intelligence services, national labs, etc.
  3. Cyber-intelligence development.  Today’s threat intelligence concentrates on things like indicators of compromise (IoCs), malware, and threat actors.  Yup, lots of data on what the bad guys do but almost nothing on how the good guys should respond.  We need to a common and standard syntax so cybersecurity professionals can readily communicate with trusted peers on which IR tactics work and which ones don’t.
  4. IR best practices services.  There are professional services firms who can help an organization build a SOC and MSSPs who will take over the whole enchilada.  What’s missing is a middle ground – services firms who help organizations develop skills, get more value out of cybersecurity technologies, and create formal (and measureable) IR processes.

Lots of people paint but only few produce masterpieces.  As long as IR remains more art than science, we can expect a handful of experts and an abundance of amateurs.  It will take a cooperative effort from the cybersecurity village to bridge this gap. 

Copyright © 2015 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations