Patterns for Successful Incident Response

What are themes and strategies that make up successful detection and response operations?  This has been a question in my head for the last several days.  This post is an attempt to generate discussion and dialog on that.  Here is my stab:

• A genuine desire to champion a sustainable security operation.  This statement is meaningless unless juxtaposed next to the stereotypical organizations who deploy security in order to meet an outcome needed for compliance, regulations, business requirements, et al.  You may do the right thing, but for the wrong reason.  Executing to bare minimums instead of raising the bar.

• The expectation that prevention eventually fails.  This is a core tenet of Bejtlich's NSM mindset.  Bejtlich reasons that it's inevitable that someone exists who is smarter than he, which suggests he should prepare for that individual instead of ignoring him.  I agree with that, and also extend that thought.  This isn't simply preparing for the worst.  This is preparation for an intelligent and unpredictable yet rational person.  In this sense, security is a form of competition.  If you pardon a comparison: Football players do not train because they assume they will win; they train because they must prepare themselves in order to have a chance to win.

• Technology is not the key, it's a tool.  The team is the key.  The team must be in harmony, adaptable, rapid, capable, and make the right decisions.  Or, at least quicker and better decisions than the attacker.

• Organization.  You need more than the team.  You need C2 that can mobilize leadership and other departments as needed.  At first glance this suggests top leadership will command and control the situation, this is not the path you want to go down.  Instead, the structure created needs to "lead while monitoring".  To fully appreciate this "leading while monitoring" expression please read Boyd's Organic Design for C2. 

• Honest detection. If you can outline the story for a particular past or ongoing security incident you begin going down a path of observational security.  It's akin to the snowball going downhill that steadily grows.  It can be treated as a feedback loop.  Your first incident can generate visibility and importance of logs and events.  That will identify more issues.  Those will in turn slowly generate a mature response capability. 

• Externally focused. This is an understanding of external threats you face.  It's also collaboration with external allies and a constant re-assessment of your operating environment.

• Feedback loops.  Detection is the first feedback loop.  There are more.  Incidents will uncover which security controls work and which don't.  These lessons need fed back into the environment in a measured way.  Each process should be examined to discover where feedback into other processes can streamline, generate momentum, reduce defensive friction, and improve operations.

This begs my next question.  What patterns make up an unsuccessful security operation?  Is it simply the opposite of the above?

Social Disclosure

Limited disclosure.  Responsible disclosure.  Full disclosure.  These are varying level of loose expectations or cultural norms that certain circles of communities in the security industry respected.

We're so beyond that point.  Security "researchers", vulnerability buyers, software vendors, universities, the press, government and everyone in between are fragmented.  Fragmented on twitter, facebook, blogs, forums, and (old school!) mailing lists.  The discussions and announcements have moved from a small slice of the Internet (mailing lists and individual emails) to social media at large.  There is no one culture or expectation anymore.  There may be disclosure in the usual places, or it may be on the companies facebook or twitter feed.  In plain view of everyone, not just security geeks.  I expect this small tweak can have larger ramifications of the discourse.

There are no norms; however social content reaches everyone at the same time and communication is expected to be bi-directional, transparent and generally honest.  If that's true, then the vulnerability "owner" must interject itself into the disclosure and establish dialog and understanding.  This is increasingly likely to be public.

Because the "disclosurer" can now dictate the public discussion.  One last time: Social Disclosure has no particular custom or cultural norm (yet?).

Just throwing it out there.  Want more? Read McLuhan or Shirky.

shmoocon 2011

I've been attending shmoocon since 2005.  I enjoy it for a few reasons.  It whips me out of complacency and reminds me why I enjoy what I do.  It's a chance to remove the organizational weight that you carry during the day and allows you to refocus on the true complexities.   It's also a fun time and I get to hang out with everyone.

I jotted down 2 one liner notes to myself during the con.  This is a brief expansion of those.

First, my perspective on Mudge's hackerspace talk (or what I've named "The l0pht mindset infiltrates DARPA").  Have you read esr's Cathedral and Bazaar?  You should.  Both black markets as well as certain nation-states have fully embraced the bazaar concept.  Hackerspaces offer a potential avenue for Mudge to leverage the same strength of the bazaar from within DARPAs Cathedral.  This is the asymetric advantage that I believe Mudge eluded to near the end of his talk. 


Secondly, I also noted an upward trend of talks and mentions of "defense" or "offense".  Not black or white hat, and not researcher.  We need more love for defenders, and this is a great trend.  There's also a trend of increasingly discussing the active usage of intel as part of the security program.  Certainly the Mandiant guys mentioned it, but also Mudge, Richard Rushing, and the INTERSECT guys also keyed in on it.