Panic-mode responses to incidents, such as breaches, seem to be the norm nowadays. But does it have to be this way? Security personnel are willing to break glass and say, “let’s just push all the critical patches out right now.” Or, “fix the one that cries vulnerability.” Many incidents today are happening because people are not good at the basics.
Visibility is the cornerstone.
In other words, step zero. Here’s an analogy: A smoke detector detects the fire, but the video surveillance system gives full visibility of the campus, and you can tell exactly which smoke alarm is going off, and where in the building the fire is actually located in a very timely manner. Without having any context of where or which, and just knowing that a fire alarm’s going off, it can take hours to days to try and figure out the starting point and begin remediating.
The relevant contextual information about all devices contributes to the front-end of the incident response life cycle; where devices are, who’s on them, what’s running on them. All of that relevance becomes paramount when a security operations person is thinking “what the heck’s going on right now in my business because a siren is going off for some reason”. If we can start to shrink that time window down to minutes or to an hour, versus hours and days, it gives the business a much better shot at potentially putting that quarantine around an incident before the catastrophic impact happens.
If an attacker has made an initial foothold and is trying to progress through an organization, you can put a fence around them, so they don’t get to the crown jewels or their end target. Yes, you still had a breach, but the overall impact of the business is far, far less than if the attacker had hit whatever intellectual property or financial records they were going after. Using context and an understanding of the environment, you can triage quicker and make the organization better off.
You can achieve this by applying your policies and making sure, in the compliance state, that you are following your company’s defined practices. You move into the life cycle, thinking “now how do we put the bubble and the quarantine zone around this device?” That’s where the real business case comes in.
How to limit the impact.
Segmentation is critical- how do you isolate devices that are not perfect, and then combine your segmentation strategy with your compliance requirements within the campus infrastructure. That’s the logical progression from a business maturity perspective. Segmentation defines incident response as limit the pain, limit the spread, and limit the impact.
You don’t have to wait until your business is impacted to start working on an incident response plan. Start implementing the basics now, identify something is happening, investigate what’s happening, and then resolve and remediate, resolving being a temporary fix, remediating being a long-term fix.
To learn more about the current challenges, trends, and environment affecting incident response teams read the 2018 SANS Incident Response Survey Report here.