As hackers invade corporate systems despite vulnerability assessments, end-user education and other defensive security measures, the need to invest in incident response teams has become painfully evident.
Today's threat landscape
"We know that security is a combination of protection, detection and response," Bruce Schneier, CTO at security startup Co3 Systems, said during last week's MassTLC Security Conference in Boston. "I think we need incident response more than ever because we've lost control of our computing environment. There are areas where we cannot implement protection and detection systems."
Schneier said advanced attacks such as nonmonetary "hacktivist" attacks, advanced persistent threats (APTs) and intellectual property theft hinder incident response (IR) measures, as does the inability to identify who is behind the attack, access to the same toolset by hackers, and the speed at which attacks occur.
The need to increase IR measures is being felt by IT professionals, but not backed by their companies. In a 2014 study by the Poneman Institute of 674 IT professionals in the U.S. and U.K., 68% said the best way their organizations can mitigate future attacks is to improve their incident response activities, followed closely by threat intelligence (62%). These responses trumped preventative measures such as patch management and vulnerability audits.
Only 34% of these respondents said their companies have increased IR funding, however, and 50% said incident response accounted for only 10% of their overall information security budget.
This gap between cyberattack realities and underinvestment is not going to change anytime soon, according to Schneier. "We traditionally underinvest in security in all aspects," he said, and at many organizations, the traditional view of security as solely a product persists today. "Security is a product and a process," he said. "That's a very tactical statement: Day to day, security is a combination of people, process and technology."
Ponemon posited another explanation for the disparity. Its research report suggested that many companies are failing to invest more in incident response because they see IR as reactive and would rather invest their limited security budgets in proactive measures.
Humans in the security loop
Although people, process and technology are considerations in most sound IT strategies, conventional wisdom today, Schneier said, is that good security doesn't revolve around human involvement.
"Not only do people not help -- they actively hurt. The best security removes people, doesn't involve people, will do better when we get rid of people," he said.
Schneier pointed to processes such as automatic updates and antivirus programs, which function reliably and make sound security decisions without human intervention.
"These things work precisely because you don't know they're working, precisely because you don't have to make a decision. Automatic update is way better than a manual update because it actually happens," he said. "Getting people out of the loop helps."
But, automation doesn't work for incident response -- sophisticated attacks such as APTs can only be intercepted with humans at the helm.
Rather than remove people from the loop, security systems should be re-engineered to support the people already in the loop to increase their chances of success. As Ponemon's report put it, "Although supercomputers can be programmed to play chess, when faced with a strategic, targeted attack on your computer network, you're going to want a human playing for your side."
In part two of this story, Schneier advises organizations to look to a real-time decision cycle developed by the U.S. Air Force to enhance their incident response processes for the future.
Watch SearchSecurity's video interview with Schneier to find out more about incident response management. Then, see why RSA 2014 speakers stress the importance of prepping partners on incident response.