I got this title from a very insightful CSO online article called “Understanding incident response: 5 tips to make IR work for you.” It reminded me of a conversation with an exasperated IT security guy who said, “It’s more like herding snakes!” My private response was, “Why would you want to herd snakes anyway?”
But in all reality, handling a security incident is indeed painful, and it would be more technically appropriate if “cats” or “snakes’ were replaced by “worms.”
In recent stats reported by FireEye, this one stood out: “On average, malware events occur at a single organization once every three minutes.” Or as I’ve often said, “APTs happen to the best of us.”
There seems to be a lot of interest and excitement around the incident-response workflow. I met with a startup this morning that raised $50 million in less than 18 months on an incident-response value proposition. After I peeled away the colorful marketing ribbons and wrappers, the value proposition boiled down to, “But there is no one shoe that fits all!”
It’s amazing to see how folks trivialize the whole process of what is generally called “incident response.” An excellent definition on the SearchSecurity web site (written in 2005), describes the process well. There are multiple steps in incident-response, and very interesting associations between them from the organization and process perspectives. And at the end of the day, there has to be accountability to the different job functions and ability to communicate between organizations so the roles are clearly defined.
The steps in the process are preparation, identification, containment, eradication, recovery, and lessons learned. The important point is to note is that it is not the lack of information that causes delay or incomplete responses. Rather, it is the process itself, and the state of the information available to make intelligent and actionable decisions.
Here’s an analogy. You are getting ready for one the most important meetings you’ve ever attended, and looking for that one lucky shirt in the closet. This would be absolutely no problem if you had put it in the right place in the closet and could just reach out to it and get on the road. But imagine a closet that is filled with tons of clothes so that you have to dig through large piles, not knowing where it could possibly be.
Incident response is very similar. It goes back to the basics of “Do you know what is on your network?” and my favorite “Do you have a current network diagram that shows the security controls such as Firewalls?” As much as we would like to deny it, these cornerstone best practices of networking are also the most often ignored. From our experience here at Infoblox, every single NetMRI evaluation we perform in a customer’s network is an ah-ha! moment for the customer. And with Infoblox DHCP Fingerprinting and our IPAM solution, we can answer that first question “What is on your network?”
Once you get past that, the next logical question is, “So what do I do with this?” That’s where the Infoblox DNS Firewall and Security Device Controller help you close the network valves. But only if your closet is not a tangle of snakes and cats and worms!