When Prevention Fails, Incident Response Begins

L4 Transporter

By Richard Porter, a Palo Alto Networks Systems Engineer.

 

Originally an Internet Storm Center Diary posted @ https://isc.sans.edu/forums/diary/When+Prevention+Fails+Incident+Response+Begins/19629/

 

I've been asked a few times this year ($dayjob) to discuss and review incident handling practices with some of our clients. This topic seems to have come up to the surface again, and with some breaches getting main-stream coverage, it only makes sense. Taking a look at some of our past posts on the ISC, I was pleasantly greeted with a long history on this topic (see list below).

 

For those that have not seen it yet should read the 2015 Verizon Data Breach Report DBIR. A couple of notes on DBIR (very brief as it seems everyone is reviewing it [2]), we are getting better. The entry on page 5 that is called out, stuck with me “In 70% of the attacks where we know the motive for the attack, there’s a secondary victim.[1]Some homework, go read page 5!

 

The second take away from DBIR tells me that we can prevent quite a bit. Remember where prevention stops, incident handling starts. If you jump to page 15, there is a big lesson covered that you’d THINK we would have learned? PATCH“99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.[1]

 

Some Observations

In my travels, it has been observed that more companies are starting to negotiate contracts with outside incident management firms proactively. This is a great sign. I am still observing areas of weakness in the internal incident handling skills. We should still have some staff that at least understands the process (thinking evidence handling here). These staffers should act as both liaison to contract staff and aid with guidance to management.

 

Most, if not all, companies that I have visited have solid policies and standards in place. Along with a surprising number that including marketing and public relations. It seems we are getting a little better here.

Note: Have a list of those that are cleared to speak to any media, your average journalist will eat an engineer alive. Know when to say “I cannot comment on that”

 

Parting references I use for incident management:

 

References

  1. http://www.verizonenterprise.com/DBIR/
  2. http://researchcenter.paloaltonetworks.com/2015/04/2015-verizon-data-breach-investigations-report-db...
Ask Questions Get Answers Join the Live Community
Labels