Incident Detection, Then Incident Response
April 26, 2012 1 Comment
There seems to be an interesting and, I believe unfortunate, trend emerging in IT security: Incident Response (IR) and Forensics tools are being wrapped in professional services and being sold as the solution to the breach detection problem. While I am happy that there is growing understanding that there is a breach detection problem, the reaction to that recognition is disappointing and misses the mark.
I think the point is obvious and is right there in the name “Incident Response”. Response is not detection. It is a step after detection – 1. Detect the problem. 2. Analyze the problem. 3. Fix the problem. You could group #2 and #3 as respond, but they still follow detect.
You see, I thought detection was the issue. While coming up with faster and more efficient ways to respond is laudable, I did not think what we needed was a better response to breaches that go undetected for an average of 173.5 days (Trustwave Report). Just to make sure I was not missing something, I reviewed all of the excellent breach investigations and reports (Verizon Business, Trustwave, IBM X-Force, and Mandiant). While some note that the time from detection to containment, but it is certainly not the focus. The consistent focus I take from my reading is that organizations are getting breached and are not prepared to detect those breaches.
Unfortunately, there are several organizations making hay with selling professional services engagements under the umbrella of incident response. The IT security market has a long history of seeing success and extrapolating that success into a rush to copy that success. This is one of those cases. Then marketing kicks in and the opportunity for the market to take constructive steps forward is squelched by the vendors rushing toward the next pot of gold, and organizations being swept into the hype. Then these same reports will come out next year and there will be collective head scratching as to why the numbers have not improved.
The winner is the adversary, who is quite fine with 173.5 days of undetected access to organizational networks.
A simple analogy is firefighting. Firefighters diligently and continuously train to better respond to a fire when called. There are constant technological breakthroughs in equipment that also help them respond to a fire when called. All of that training and equipment is put into use when they are called (the fire is detected). Firefighters are not responsible for detection, they are all about the response. And while I am not a firefighter, my guess is that firefighters would tell you that the sooner the fire is detected, the better their response. I would also guess that rapid detection is a key component to reducing loss. Having a better, more expensive fire investigator will not reduce loss.
The first step to solving the breach detection problem is deploying tools that rapidly detect breaches at the point of infiltration. Studies prove that prevention tools cannot provide that detection, and IR/Forensic tools are not built for detection. Detection must be addressed first. Then you can deploy all of these marvelous response offerings.
Another explanation is that organizations have twisted themselves into a really unfortunate Gordian knot. Maybe they are just beginning to understand the problem, but have reconciled that they will take action if and when then are breached. This is not a good strategy, because statistics say it is likely they already have been breached, but simply don’t know it yet because they lack the tools to detect breaches. There is no more “if”, and the “when” has likely already happened. That is not FUD, that is what the statistics say. Once a breach is detected - the statistics say that 92% of those breaches will be detected by a third party and not the breached organization – then they will spend enormous amounts of money to have someone come in and do lots of expensive analysis and make recommendations that they will likely ignore. The organization of course must deal with the financial, regulatory, and reputational effects of the 173.5 days the adversary had access to their confidential data and intellectual property.
To paraphrase a quote from Churchill I have used before, people frequently stumble over the truth; unfortunately, they often pick themselves up and carry on as if nothing happened. I fear this is one of those collective moments when organizations have stumbled onto the truth and will not be the better for it.