In the early 1900s, Henry Ford was intent on making the Model T an affordable car for the masses. To do so he had to figure out a way to vastly improve the company’s manufacturing efficiency in order to lower consumer prices. Ford’s solved this problem by adopting a modern manufacturing assembly line based upon four principles: interchangeable parts, continuous flow, division of labor, and reducing wasted efforts.
While incident response is a bit different from automobile manufacturing, I believe that CISOs should assess their IR processes and take Ford’s 4 principles to heart. Here’s how I translate each one for IR purposes:
- Interchangeable parts. In Ford’s world, interchangeable parts meant that components like steering wheels and bumpers could be used to assemble all types of cars and thus keep the line moving. In IR, interchangeable parts means that all detection tools should be based on published APIs so that each one can interoperate with all others. It also means embracing standards like STIX and TAXII for threat intelligence exchange so data can be easily consumed or shared. Finally, interchangeable IR parts calls for the creation and adoption of cybersecurity middleware that acts as a higher-level abstraction layer for policy management/enforcement. I blogged about this concept after seeing an interesting presentation by Swisscom at Splunk.conf 15. In effect, this middleware layer could make all underlying security enforcement points interchangeable and systematic.
- Continuous flow. Enterprise IR processes are fraught with starts and stops, especially when they require close collaboration between security analysts and IT operations teams. Sometimes there are priority issues between these groups like when the security team insists on the immediate installation of an emergency patch but IT operations pushes back because the patch only applies to non-critical systems. Sometimes the problems are technical such as a lack of integration between IR and ticketing systems. CISOs must assess IR processes, identify disruptive process bottlenecks, and eliminate them as quickly as possible.
- Division of labor. IR processes are often informal and highly dependent upon individual security analysts employing their own tools and methodologies. Yup, this can get the job done but it doesn’t scale across an entire organization or keep up with today’s volume of security alerts. Furthermore, IR processes can walk out the door when folk hero “hunters” leave the company for high-paying gigs at a Wall Street bank. To avoid this issue, CISOs need IR processes to be based upon industry standards like those in NIST 800-61 with appropriate division of labor between junior technicians, senior incident responders, hunters, and IT operations. Workflows and runbooks should also be documented so that junior analysts have process template and can triage events without the need for immediate escalation. Oh, and IR processes should extend beyond cybersecurity and IT to also include groups like HR, PR, IR, legal, and executive management.
- Reducing wasted efforts. This is really a product of 3 & 4 above. It’s also important to constantly document what works and what doesn’t so security analysts have a blue print for the best course of action for each type of incident. Workflows should be continuously reviewed and modified to eliminate time consuming distractions. This is especially important during any IR handoff from cybersecurity to IT operations teams. Once again, it’s about identifying and eliminating the bottlenecks.
CISOs interested in applying Ford’s 4 principles to IR should investigate a few IR software vendors like CyberSponse, FirstHour, Hexadite, Invotas (FireEye), Phantom Cyber, Resilient Systems, and ServiceNow to see if they can help. SIEM vendors like IBM (QRadar), LogRhythm, and Splunk also have some of these capabilities.
As for me, I’ll keep looking for everyday process improvement analogues and continue to research IR activities at the upcoming RSA Security Conference. More soon.