Jeff Schilling, the director of our Incident Response and Digital Forensics Team, recently put together his insights on information security risk management for an organization's incident response function and offered those insights in a webcast on "Managing Your Incident Response Bench."
The 30-minute presentation is available on demand and is well worth watching, but if you prefer to hear Jeff's recommendations by reading rather than watching --- and it can save you time --- I've summarized many of his key points here.
First, Jeff's credentials make him an expert in this area and give his recommendations real weight. Before retiring from the U.S. Army as a colonel, Jeff managed the Army's Global Network Operations and Security Center.
The two starting points for Jeff's analysis are: "You can't stop everything from coming into your network" and "everybody's going to have that bad day" (meaning: virtually everyone will be compromised at some point). Based on those starting points, one of the key decisions for any CISO or security leader is to decide what level of threats your team can handle. Most enterprise CISOs probably have confidence their teams can handle "commodity threats" using the most widely available malware variants. As you move up the sophistication level, to address threats from hacktivist groups, organized cybercrime groups, cyber espionage actors and nation-state actors, you may not be as confident that the necessary skills reside in-house.
Higher level incident management calls for network forensics analysis, system or host forensic analysis and malware analysis skills, Jeff said.
Another key decision is which of three models to adopt:
- A 100% in-house incident response team
- A mixed approach of in-house skills and specialized out-sourced skills available when needed, or
- A 100% out-sourced IR team
Jeff reviewed the pros and cons of each model, and then went deeper as he reviewed each of the eight stages of an IT security incident: Detection, identification, analysis, notification, containment, eradication, recovery and post-incident recovery, and what types of skills, processes and technology were needed at each stage.
One very interesting case study was covered, detailing how a law firm sought outside expert help when its anti-virus program kept identifying and cleaning infections by a type of malware, but the infections kept reoccurring. The Dell SecureWorks IR team identified the malware as the Qakbot Trojan and found that the breach had actually occurred six months earlier. During the six months, "substantial data exfiltration had occurred."
As more and more organizations recognize the need to shift their emphasis from purely focusing on preventing successful attacks to preparing to respond to security incidents/compromises, Jeff's recommendations are worth sharing -- and following.