Keeping up with incident response

A fire department in a large city certainly has a difficult job, but its mission is fairly straightforward. When a fire is detected, the fire department dispatches an appropriately sized staff to assess, contain and put out the fire, clean up, investigate what happened, and prepare themselves for the next blaze.

Yup, it’s a pretty simple process when a manageable number of fires are burning. But what would happen if there were hundreds or thousands of simultaneous infernos?

My guess is that a senior fire chief (and perhaps other participants from local government and law enforcement) would have to make decisions on which blazes to resource and which to ignore. These decisions would certainly be based upon information analysis and best practices, but there is still some risk that the disregarded fires would end up being far worse than expected, turn into disasters, and call into question the judgement of all involved.

+ Also on Network World: Reviewing incident response plans for data risk preparedness +

This example a useful analogy for incident response at large organizations. On any given day, enterprises face a cacophony of security alerts that need further investigation, but they tend to lack the skills and resources to look into each one.

Recent ESG research illustrates the scope of this problem: 42 percent of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) claim that they ignore a “significant number of security alerts” because they can’t keep up with the volume, while another 32 percent say that they ignore “a marginal number of security alerts” for the same reason.

Just how many alerts are we talking about? Well nearly one-third (31 percent) of organizations forced to ignore security alerts claim they ignore 50 percent or more security alerts because they can’t keep up with the overall volume. Yikes!

Like the firefighting scenario described above, human beings must reach decisions on which alerts to pursue and investigate and which to ignore. Oh, and even those alerts that are deemed worth looking into must be prioritized based on objective data, an escalation process, and the instincts of the IR team. Sometimes they get it right, and sometimes they don’t. The 2013 data breach at Target is an example of where IR professionals ignored several security alerts, rolled the dice, and lost.

What can be done to improve this situation? Well, we can’t hire our way out of it due to the global cybersecurity skills shortage. Given this, allow me to provide a few suggestions:

• Make sure your organizations have a formal and documented IR plan. This NIST Computer Security Incident Response Guide can provide a good example of best practices.
• Ensure that cybersecurity and IT staff have the proper training for IR. The SANS institute offers good incident response training courses, for example.
• Find and fix the process bottlenecks. Assess every task associated with IR, and figure out where things slow down. Is it data collection? Analysis? Decision making? The handoff from security to IT? Fixing these issues will likely span beyond the cybersecurity team to IT and business management, so get CIOs, HR heads, legal and the CEO involved.   
• Investigate the IR capabilities of your SIEM platform. Several SIEMs, including IBM QRadar (i.e. Resilient Systems), LogRhythm and Splunk, offer functionality for IR. This can help streamline processes, as these capabilities are tightly integrated with SIEM features for incident data gathering and analysis.
• Evaluate incident response platforms for IR automation and orchestration. ISVs such as Hexadite, Phantom and ServiceNow offer products and services to help automate and orchestrate IR. Automation and orchestration can be applied in several areas:
  • To accelerate data collection for investigations
  • To orchestrate IR workflow, especially between security and IT operations personnel
  • To automate remediation actions such as launching vulnerability scans or generating a rule for blocking suspicious IP addresses, URLs and domains
• Follow the progress with machine learning algorithms. While immature today, analytics tools based upon structured and unstructured machine learning hold great potential to filter through security alert noise for root cause analysis. Large organizations should keep their eyes on developments in this area.
• Get cyber insurance. Transfer some of the risk of making mistakes through cyber insurance policies.
• Outsource the whole enchilada. If you can’t keep up, don’t fake it. Find a third-party such as Cylance, Crowdstrike, FireEye, RSA, SecureWorks or Symantec who can. 

The goals here: Increase the number of alerts for investigation, improve decision making and prioritization, increase IR process efficiency, and decrease risk. Simple objectives? Yes, but difficult tasks. Nevertheless, IR is a mission-critical activity, thus IR improvement should be a priority for all CISOs.