How well is incident response working for corporations effected by security incidents? A panel at RSA says there is still a lot of work to be done
Clearly, the impact of the Target breach hasn't died out just yet, as it was the baseline example that every panelist referred to at some point when discussing the state of incident response during AccessData's "Living in a World of Continuous Compromise" panel at the RSA Conference in San Francisco.
The panel pulled together a number of security experts including Golan Ben Oni, the CISO of IDT Telecom; David Matthews, Expedia's director to incident response; Trey Ford, the global security strategist at Rapid7; Chris Christianson, the assistant VP to network services and a SANS instructor for Travis Credit Union; Rich Mogull, an analyst for Securosis; and Larry Ponemon of the Ponemon Institute.
For legal reasons, the panel members spent a couple of hours waxing in exceedingly general terms about the incident response. To kick things off, moderator Craig Carpenter, AccessData's CMO, started general (fittingly) by asking the panelists what a typical IR process looks like.
+ ALSO ON NETWORK WORLD Follow along our running list of stories from RSA +
"When an organization is compromised, most of the time they'll find out from a third party," said Christianson, who added that in some cases, it's even the customers themselves reporting the problem.
"The size of the organization determines how they're going to react; a medium-sized company can right the ship faster than a large one. Meanwhile, they're also trying to figure out what really happened."
So what helps? How can organizations begin the process of responding?
"Having good relationships and working with other organizations is key, and that includes getting intelligence data from other organizations," said Ben-Oni. Though this begs the question of whether or not competitors would really be willing to help one another in this sense -- even if, theoretically, it is for the greater good -- Ben-Oni maintained that some organizations are willing to listen to reason.
"Some of the vertical markets are open to it, like those in telecom or the financial markets. They're usually willing to participate in that 'coopetition' as long as there is confidentiality involved."
Mogull went on to clarify that Ben-Oni was referring to the fact that these days, there is more pooling of data on the part of organizations through third party services wherein the information is anonymized before being shared with others. And for those that may be concerned about legal implications, Matthews added that the anonymization is typically what appeals to companies' attorneys, who may sweat those kinds of disclosures.
"As long as you keep it high level and anonymize it, attorneys are okay with it," he said. Even in light of drastic incidents -- like the Edward Snowden affair -- that suggest that sharing information isn't always the wisest choice, the panelists all seemed to agree that it's still important that companies share with and support each other. "It hasn't changed anything for us," said Ben-Oni. "We still need each other."
Matthews added that in sharing data for the sake of improving incident response, it's important to work with and developing trusting relationships with the people you already know personally. "You're more likely to trust each other," he said simply.
The human element
Timing is obviously key when it comes to incident response, so the natural inclination would be to believe that automation is the answer to all of your problems. After all, letting machines do the work not only means cutting down on manpower, but faster --and therefore better -- response, right? Not entirely true, said the panelists, who agreed that automation is a healthy choice, but only in moderation.
"We've taken a close look at how we can automate incident response," said Ben-Oni. Through automation, he said, companies can cut down on the necessary manpower to respond to incidents while also possibly containing a problem before it becomes serious.
"[By automating IR, you can] do it quickly and without much man power and you may have contained a problem before it becomes a big issue," he said.
But Christianson warned that while automation can improve both efficiency and response time, organizations should be careful to not completely remove the human element, which is necessary in incident response. "That checking part, making sure that everything is okay, is still going to require a set of human eyes to confirm," he said.
Ben-Oni then clarified his stance, saying, "We're not replacing people. We're taking steps that people have to do every time and automating them so when the human element comes in, the heavy lifting is already done."
Mogull agreed with that approach, maintaining that when it comes to automating IR, it's more about automating a workflow, rather than expecting to hit a button and having everything done automatically. "Certain steps, like re-imaging, changing the ownership of an application, etc., should be automated so as to dramatically speed up the process," he said.
"Communication is key."
Incident response is, in many ways, all about communication. It's not just a matter of how (or when) organizations choose to communicate to the public that they've been breached, it's also a matter of how security teams choose to approach internal communications with board members.
When asked about whether incidents like the Target breach open the eyes of board members, Matthews said, "It does get the attention of executives, and our executives wanted to know if it would happen to us. So we told them, here's our analysis, here's where we fit on that spectrum, and here are our gaps."
That way, he added, the board members could then determine how best to spend their money in order to protect their organization.
Ford seemed slightly more concerned about the communication problem in the security industry, but was also determined to take as positive of a stance as possible. "Notification is tough both externally and internally," he said.
"The question isn't, 'Have we been hacked?' It's, 'Has it happened yet and do we know?" So in the event that a breach needs to be reported, he explained, it's almost positive that CISOs are even able to say that they know something is wrong. It's crucial that in doing so, however, that their statements be accurate.
"That's a position of strength to say here's what we know and what we know we don't know. But we have to deliver these statements with absolute confidence," he said.
Communication is so important, said Christianson, that security specialists that are also expert communicators are a very hot commodity in the industry today. "Communication is key. We have smart people, but they're not always the best communicators," he said. "So you want to have people in place that are both technical and can communicate well."
And therein lies the rub. While it's obviously necessary for security teams to communicate these issues to board members, it's important that they knowhow to communicate the issue in a way that board members will understand. In other words, they don't need to explain what exactly is wrong; they need to paint a picture of how this is going to affect their organization, and that can't be done accurately until the entire situation has been assessed.
"Board members don't care that such and such was violated, they need to know, in business terms, the impact on their organization," said Mogull.
"The board doesn't understand the underlying technology," Ben-Oni concurred. "So I don't understand the point of going to the board the moment an alarm goes off."
Once it has been established that there's a problem, what does this mean for budgets and future spending? Is the moment an incident has become apparent a good time to talk budgets with board members? Ponemon seemed to think so.
"There's no acceptance of blind spots by board members. Most board members assume ignorance is bliss. If you're not talking to them, noting is wrong," he said. "They see security as a tactical thing, not a strategic thing, and it's not until they see something like a Target incident do they get it."
Ponemon seemed to view it as a very small window, adding, "The only time they care is for 90 seconds after the breach is on the front page, and then they go back to not caring."
Mogull agreed that high profile cases are, in a slightly twisted way, good for everyone else in that they tend to advance security programs and increase awareness among board members. When companies like Target are hit with losses in the millions, he said, board members pay attention. "We are changing, but at a glacial pace. I may not agree with Larry's 90 second statement but&yeah. Maybe 90 days."
Regardless of whether or not they agreed on board perception of the threat landscape, the panelists seemed to agree that a better standardized approach is necessary. And that, of course, begins with thinking outside the compliance check box.
"Compliance is not enough," said Ben-Oni. "Board members are now realizing that security is more than that."
Ford took a slightly less aggressive approach, agreeing that it's not enough, but that there are some benefits to it. "Compliance is a double-edged sword. It's meant to be used as a baseline, but many people are using it as a ceiling," he said. "But it's a starting place and I don't think there's anything wrong with that."
The state of incident response
When asked about how well incident response is working today, the panelists all seemed to agree that there was a long way to go. Whether that progress is measured in the form of more practice or recruiting - or creating - security professionals with the right skill sets, everyone seemed to agree that there was work to be done.
"The best we've found is to practice response on a regular basis," said Matthews. "The more we do it, the better, faster we're going to respond. And, we have the communications in place so we don't have to set it up ahead of time."
Christianson mentioned doing exercises if, for no other reason, than to teach security teams that it's okay to fail. Mogull added, "It's not just okay, we need to introduce failure. We need to try to create stress."
But training for existing members isn't enough. Christianson said that there was plenty of work to be done in terms of producing the right kind of talent to combat threats. "We need to have the right people with the right skills," he said.
"People who are experts in forensics, responseA! all medium-sized organizations can afford to have those people with all of the different skill sets. So we need to have training so people know what they're doing."
Matthews and Mogull were in accordance, as they talked about how organizations should seize upon resources like students and military veterans to get the help they need. Ben-Oni even mentioned that IDT has an accredited school in their building to help create more skilled team members. "It hasn't solved all of our issues, but it's helpful," he said.
Ford added that it's becoming more important than ever for organizations to be able to admit that they need help. "We're often afraid to say we don't have enough X or Y," he said. "CISOs are afraid to tell board members what they need. And we need experts."
Read more about data protection in CSOonline's Data Protection section.
This story, "RSAC 2014: Experts discuss the harsh realities of Incident Response" was originally published by CSO.