Despite the vast improvements organizations have made to their security systems, today's cybercriminals still manage to breach them. One factor a 2014 research report by Ponemon found is that incident response (IR) only makes up a slim fraction of many of the respondents' security investment.
As part one of this Future State piece illustrates, complex modern-day attacks can only be successfully stopped with humans at the reins. In part two, security expert Bruce Schneier, CTO of security startup Co3 Systems, who spoke at the recent MassTLC Security Conference in Boston, details how organizations should instill the concept of real-time decision-making cycles in their incident response teams.
The future of incident response
"As defenders, we still have to defend," Schneier said, and in the field of incident response, from which humans can't be removed, simply automating doesn't work.
Instead, organizations must engineer their IR processes so the humans are at their most effective. The way they should tackle this, said Schneier, is through the idea of feedback loops based on OODA (observe, orient, decide, act), an attack-and-defense decision cycle developed by the U.S. Air Force that has since been applied to areas such as military planning, corporate contract negotiations, incident response and other processes.
In the case of fighter jets attacking each other, Schneier explained, pilots who go through the OODA loop more rapidly had an enormous advantage because they can observe and react to events more quickly as they unfold, thus "getting inside the opponent's OODA loop."
Organizations would do well to look at incident response processes and tools through the same lens, Schneier said. Here's how he advised organizations to approach each phase of the loop:
Observation: Monitor, in real time, what's occurring in your network. "You think of threat monitoring, intrusion detection systems, log monitoring, log management, network data, performance data, any kind of health tools, dashboards to help you see it better, understand it in context and look for anomalies," Schneier said. These tools allow organizations to rapidly observe attacks and how they progress.
Orientation: Once security data is collected, look at it in context of the organization and the greater community. This involves an internal and external threat intelligence view in which threats such as malware and vector attacks are made known within your organization as well as to industry peers to prevent future attacks. This information is not often shared internally or otherwise, however. The Ponemon study of IT professionals found 54% of incident investigations do not result in measures to help protect the organization against them in the future, and 45% said they don't share threat feeds or receive them from their peers.
Decision: While there aren't many tools available that help with decision making, Schneier said, it's important that organizations establish who makes decisions, from which parties they receive input, and how they enact those decisions. Asking these questions is particularly important for organizations at risk of damaging their reputation in the event of the material loss of customer data.
"I think of a lot of these big credit card thefts. The biggest costs are not tech costs -- they're legal costs and PR costs, the back end," Schneier said. Unfortunately, only 23% of respondents to Ponemon's survey indicated they have a well-defined PR and analyst relations plan in place.
Schneier advised companies to establish an IR decision-making process that documents and audits these decisions.
Action: Traditional incident response measures must be turned on their head. "We're used to permissions-based security: We give people permissions to do their job. Permissions don't work in incident response because you never know what [team members] are going to need to do," he said. Plus, IR teams need the autonomy to be able to pull infected systems off of networks quickly, and complicated access requirements significantly delay these processes.
Schneier advised companies to give IR leaders broad access powers and audit these access rights on the back end to ensure they aren't abused.
Schneier pointed to Sept. 11th as an instance in which incident response was successful. "After 9/11, the reason recovery works so well in New York is because a lot of traditional chains of command were just thrown out the window. 'We're just going to do this, and we'll figure out what we did later.' Getting it done and getting it done fast is more important."