A few weeks ago I had the pleasure of participating, as a guest speaker, in a webinar titled "Targeted Attack, Targeted Response: Designing and Implementing an IR Plan That Works". Joe Riggins, Senior Director of Incident Response for HBGary, moderated this Q&A format webinar. We discussed the current incident response (IR) challenges companies are facing, as well as specific steps organizations can take to design, test, and successfully implement an ongoing IR plan for their specific business environment.
In this webinar we discussed how incident response methodologies changed in the last few years. The security landscape has changed dramatically over the last couple of years and is expected to change even more. Subsequently, incident response methodologies have to adapt. Examples of things that are changing the incident response landscape:
Mobility & BYOD
Advanced Persistent Threats (APTs)
The adoption of cloud computing is something that is changing the incident response methodologies. Everything is now sold "as-a-service"; whether is infrastructure-as-a-Service, software-as-a-Service, platform-as-a-Service. When you move to the cloud in a significant way, incident response is something you should start considering long before you make the move.Should cloud providers be offering incident response mechanisms? That’s a possibility; however, in the cloud incident response is all about data ownership, legal authority, and accessibility to affected systems; specially when some of the data can reside on-site and portions can reside in the cloud (on systems not controlled by you).I like a statement we made in our Annual Security Report:
A few years ago, employees were assigned laptops and told not to lose them. They were given logins to the company network, and told not to tell anyone their password. End of security training.Today, your “millennial” employees -- the people you want to hire because of the fresh ideas and energy they can bring to your business -- show up to their first day on the job toting their own phones, tablets, and laptops, and expect to integrate them into their work life.
Executive also expect others (including security personnel) to figure out how they can use their treasured devices, anywhere and anytime they want to, without putting the enterprise at risk. They want to work hard, from home or the office, using social networks and cloud applications to get the job done, while someone else builds seamless security into their interactions.Facebook and Twitter moved beyond just social networking sites for teens and geeks, and became vital channels for communicating with groups and promoting brands.Fears around security and data loss are a leading reason why some businesses don’t embrace social media, but many are adopting social media as vital resource within the organization. Some of these risks can be mitigated through the application of technology and user controls. However, there's no doubt that criminals have used social media networks to lure victims into downloading malware and handing over login passwords. In this example, incident response moves from things that you can control within your network to borderless boundaries outside of your organization.
Advanced Persistent Threats (APTs): Most threats in the past tended to be short-lived and easy to notice; however, a lot of today’s threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to data theft and causing many other headaches.The sophistication of APT intrusion attempts varies and likely depends on the attacker’s objectives, the tools and techniques available to them, and the anticipated ability of their target both to detect and defend against an attack.
During the webinar I was asked "What are the three biggest challenges facing incident response teams?"That is a very hard question to answer. The following are three examples of the challenges incident response teams are facing; however, these are not the only challenges nowadays:
Protecting against the unknown – zero-day vulnerabilities: Many targeted attacks use zero-days and other customized malware. There is no one-size-fits-all methodology of detection for zero-day vulnerabilities and exploits. The two precautionary measures of patch management and keep your security products up-to-date don't really apply here. If a vulnerability hasn’t been publicly disclosed or the patch isn’t yet available from the vendor, there’s no fix. This is what makes the vulnerability a prime target for hackers. Network visibility and control is one of the most important pillars of incident response.
Scalability and Agility When Responding to Incidents: Scalability and the rapid has become a challenging task for organizations of all sizes, and we find that security practitioners spend most of their time on manual processes relegating them to ineffectiveness. Security automation is the key to escaping this rut. The adoption of security automation techniques around asset, change, configuration, and vulnerability management is key.
Never-ending Complexity: The complexity of a network makes operational mistakes and security violations more likely. This applies to both the network architecture, as well as to the methods that are in place to protect the network. From a security perspective, less complex configurations are usually preferred. This perspective also applies to the operational management of the network. Very complex operational procedures are more likely to cause problems. The previous examples of cloud computing, mobility, BYOD, and other also apply here.
We discussed all these key points in detail during the webinar. At the end, I was asked to provide guidance on how do you measure success for your IR team. In other words, what metrics should organizations to measure IR success? Security metrics provides tools for IR teams to measure the effectiveness of various components of their security programs, product or process, and the ability of staff to address security issues for which they own. Security metrics can also help identify the level of risk in not taking a given action, and in that way provide guidance in prioritizing corrective actions.
there are two Tunnels in NSX edge 1- one between NSX to branch ( Sophos FW ) and it is working fine no issue 2- another one in the same NSX and other sites ( Sophos ) also and we have some times ( 3-4) disconnection ...
I'm reviewing a CISCO CES configuration. There is a profanity dictionary, however it doesn't seem to be used or working. How can I determine if any filters or other settings use a particular dictionary?
Hi All, I have a scenario. We have a VOIP server. VoIP is only accessible publicly for specific ips. i have users sitting on remote location.When they connect with vpn they can configure their soft phones with VOIP private ip but they cannot configur...
When i connect the cisco vpn with my job server. I am trying to work but if i try to do something the program gave me an error "vpn connection terminated smartcard removed from reader" how can i fix it? Can you please help me about this situation immediat...
Hi, I have a problem with my AnyConnect Split-tunnel configuration. When connected I am able to ping or reach internal subnets which have been specified in the split-tunnel ACL but I can't ping nor reach any public sites that I want to be reached th...