Thursday, February 24, 2011

Patterns for Successful Incident Response

What are themes and strategies that make up successful detection and response operations?  This has been a question in my head for the last several days.  This post is an attempt to generate discussion and dialog on that.  Here is my stab:

  • A genuine desire to champion a sustainable security operation.  This statement is meaningless unless juxtaposed next to the stereotypical organizations who deploy security in order to meet an outcome needed for compliance, regulations, business requirements, et al.  You may do the right thing, but for the wrong reason.  Executing to bare minimums instead of raising the bar.
  • The expectation that prevention eventually fails.  This is a core tenet of Bejtlich's NSM mindset.  Bejtlich reasons that it's inevitable that someone exists who is smarter than he, which suggests he should prepare for that individual instead of ignoring him.  I agree with that, and also extend that thought.  This isn't simply preparing for the worst.  This is preparation for an intelligent and unpredictable yet rational person.  In this sense, security is a form of competition.  If you pardon a comparison: Football players do not train because they assume they will win; they train because they must prepare themselves in order to have a chance to win.
  • Technology is not the key, it's a tool.  The team is the key.  The team must be in harmony, adaptable, rapid, capable, and make the right decisions.  Or, at least quicker and better decisions than the attacker.
  • Organization.  You need more than the team.  You need C2 that can mobilize leadership and other departments as needed.  At first glance this suggests top leadership will command and control the situation, this is not the path you want to go down.  Instead, the structure created needs to "lead while monitoring".  To fully appreciate this "leading while monitoring" expression please read Boyd's Organic Design for C2. 
  • Honest detection. If you can outline the story for a particular past or ongoing security incident you begin going down a path of observational security.  It's akin to the snowball going downhill that steadily grows.  It can be treated as a feedback loop.  Your first incident can generate visibility and importance of logs and events.  That will identify more issues.  Those will in turn slowly generate a mature response capability. 
  • Externally focused. This is an understanding of external threats you face.  It's also collaboration with external allies and a constant re-assessment of your operating environment.
  • Feedback loops.  Detection is the first feedback loop.  There are more.  Incidents will uncover which security controls work and which don't.  These lessons need fed back into the environment in a measured way.  Each process should be examined to discover where feedback into other processes can streamline, generate momentum, reduce defensive friction, and improve operations.

This begs my next question.  What patterns make up an unsuccessful security operation?  Is it simply the opposite of the above?

No comments:

Post a Comment