Incident Response: More Art than Science

08-19-15_IS_Blog_ImageFive to ten years ago, the cybersecurity industry was mainly focused on incident prevention with tools like endpoint antivirus software, firewalls, IDS/IPS and web threat gateways. This perspective changed around 2010, driven by the Google Aurora and the subsequent obsession on advanced persistent threats (APTs). 

These and other events convinced the cybersecurity community that hackers could easily circumvent standard prevention-centric security controls, so much better tools were required for incident detection on endpoints and the network.

Over the last year or so, the cybersecurity winds have shifted once again. With the onslaught of new detection engines, CISOs need ways to collect, process, analyze and react to volumes of incident detection data in a timely fashion so they can actually respond to incidents. Why the change? Incident response (IR) is where technology meets humanity as it depends upon the instincts, experience, skills and methodologies of really smart people. These individuals – and the processes they create – are the essential ingredients for discovering and addressing cyber-attacks efficiently and effectively at each and every organization.

So incident response is built upon a foundation of brainy intuitive people and their own quirky processes. Unfortunately, this makes incident response more art than science and lots of organizations just can’t find the IR equivalents of Monet, Picasso and Rembrandt. This shortfall can lead to lots of IR problems. According to ESG research for example:

  • 29% of enterprise organizations report an incident response weakness associated with performing forensic investigations to determine the root cause of a problem.
  • 28% of enterprise organizations report an incident response weakness associated with performing retrospective investigations (i.e. historical investigations) and remediation to determine the scope and sources of an outbreak.
  • 27% of enterprise organizations report an incident response weakness associated with analyzing threat intelligence to detect and respond to security incidents.
  • 26% of enterprise organizations report an incident response weakness associated with determining which assets (if any) remain vulnerable to future attacks.

Recognizing the array of incident response weaknesses, the cybersecurity industry is now responding to this growing opportunity. There have been a few acquisitions in this area, like FireEye’s purchase of Mandiant and Proofpoint’s grab of NetCitadel. Burgeoning IR requirements are also creating the integrated cybersecurity orchestration platform (ICOP) market with products from the likes of CSG Invotas, Phantom Cyber and Resilient Systems. Finally, firms like IBM, RSA and Symantec are elbowing their way into the lucrative IR services market dominated by Mandiant.

All in all, everyone seems anxious to address IR deficiencies but we are just scratching the surface. In my humble opinion, the cybersecurity community needs a much broader collective IR effort in areas such as:

  1. IR best practices: Since IR is anchored by people, organizations seems to have their own nuanced set of processes, analytics, and automated responses. Okay, but this “every man for himself” philosophy isn’t really helpful for the community at large. I’d like to see a public/private research project (i.e. NIST, DHS, cybersecurity vendors, etc.) to really study and uncover what works best, how organizations mature their IR practices over time, and all types of insightful lessons learned.
  2. IR education: Universities and colleges are jumping on cybersecurity bandwagon but most offer extremely general degrees that include things like basic networking, access controls and cryptography. What’s needed here are much more specific programs for incident responders. Symantec’s cybersecurity simulation and recent acquisition of Blackfin Security are a step in the right direction. I’d also like to see more public sector participation from experts in the armed forces, intelligence services, national labs, etc.
  3. Cyber-intelligence development: Today’s threat intelligence concentrates on things like indicators of compromise (IoCs), malware, and threat actors. Yup, lots of data on what the bad guys do but almost nothing on how the good guys should respond. We need to a common and standard syntax so cybersecurity professionals can readily communicate with trusted peers on which IR tactics work and which ones don’t.
  4. IR best practices services: There are professional services firms that can help an organization build a SOC and MSSPs who will take over the whole enchilada. What’s missing is a middle ground – services firms who help organizations develop skills, get more value out of cybersecurity technologies, and create formal (and measureable) IR processes.

Lots of people paint but only few produce masterpieces. As long as IR remains more art than science, we can expect a handful of experts and an abundance of amateurs. It will take a cooperative effort from the cybersecurity village to bridge this gap. 

Decision Analytics Report

Topics: Cybersecurity