Continuous Incident Response

At last week’s Gartner Risk and Security Management Summit, Anton Chuvakin mentioned that 1-3% of systems are compromised today. He called it “a low intensity fire, not a conflagration.” This seemed like a great analogy for our challenge with incident response. As a security industry—indeed, as a society—it’s much more straightforward to detect, contain, and clean up after a 5 alarm blaze than catch a subtle and determined arsonist. We are better at putting out forest fires than dealing with water restrictions. We pay for emergency room care and don’t cover preventative care and early diagnosis.

Incident response creates heroes and stories to tell at the next happy hour. It also leaves permanently scarred victims, both corporate and individual.

We’ve already had lots of victims this year. What’s a better way?

I was struck by the term “Continuous Response” used by several analysts last week, including Eric Ahlm, Neil MacDonald, and Mr. Chuvakin. The term takes the federal government’s initiatives for Continuous Monitoring/Continuous Diagnostics and Mitigation and goes one step farther. Now that you can see what is happening, what can you do about it?

The idea is that you create a continuous loop of sensors, skills, and systems, perpetually iterating through short, efficient cycles, learning and capturing intelligence as you act. Instead of thinking of parallel universes, cyberforensics investigators wielding EnCase and their cyberhistorian colleagues wielding SIEM solutions connect this data and processes it together with aggressive analytics and contextual intelligence to create cyberhunters. These people, enabled but not replaced by systems, can work continually to detect anomalies and “footprints” and piece together motive and opportunity into an actionable—and disruptable—image of an attack.

It seems clear that the data and process glue for continuous incident response will build on security management infrastructure. With 15 years of security management success in McAfee ePolicy Orchestrator allied with our leadership-recognized SIEM and innovative Threat Intelligence Exchange and Advanced Threat Defense, McAfee has an exceptional set of resources to help security innovators move to continuous incident response.  If you aren’t too busy putting out conflagrations, this is a good time for some summer reading.

Related Endnotes:

  • Chuvakin’s SIEM MQ blog makes some great points about SIEM’s expanding role in incident response.
  • McAfee customer, Jamie Rees, CISO for the Province of New Brunswick, presented a SIEM in incident response case study at the Gartner event (link Govt of New Brunswick case study).
  • Most targeted attacks start with phishing. Phishing URLs were up 25% in Q1 2014, according to the latest McAfee Labs Threats Report.

Leave a Comment

20 − two =