Security Management Strategies for the CIOPreventing incidents is one of the most important functions of an enterprise information security team, but having a strong security incident response process is also important. Even the
Requires Free Membership to View
most secure organizations eventually will
face a security incident and may need outside support to augment their in-house incident response
capabilities. To determine what happened, when it happened, who did it and how to prevent it in the
future, it often takes special digital forensics skills most infosec teams don't have in-house.
It's often difficult and time-consuming to determine the types of incidents an incident response firm has dealt with, so this is where performing your due diligence well in advance is especially helpful.
However, the midst of an incident is one of the worst times to identify a trusted partner to support any incident response needs, which is why enterprises should try to select an incident response firm before an incident ever occurs. As part of an extended computer security incident response team or CSIRT, this partner, or partners, may need to be called upon to investigate specific types of incidents.
In this tip, we’ll provide brief criteria for choosing the right incident response firm to support the enterprise incident response process, including the different types of incident response organizations, guidance on choosing a big firm vs. a boutique, and when to contact an alternative or government organization like US-CERT.
Incident response organizations
The types of incidents to investigate and the assistance needed for an incident response will
vary by industry and organizational capabilities, but there are key considerations for choosing an
incident response firm that holds true in most scenarios. Potentially the easiest criterion for
some organizations is if they feel the security incident
response will have legal implications. Often, internal investigations do not follow the same
rigor as investigations that may be scrutinized in a court of law. Although internal investigations
may or may not be investigated with the equivalent rigor from one organization to the next,
enterprises should not follow sloppy security incident response procedures. Along a similar line,
if the data involved is payment card data, an enterprise might be required to use a PCI
Forensic Investigator (PFI) to investigate the incident. The Payment Card
Industry Security Standards Council (PCI SSC) requires the use of a PFI to ensure investigators
or responders “completely understand the PCI DSS and its intended application within the cardholder
data environment.” The takeaway here is to immediately distinguish whether an incident may have
legal or compliance implications, and if so, be sure to select an incident response team that has
experience collecting evidence and responding to the type of incident in support of the legal
proceedings that may accompany that particular type of incident. Naturally, it's also a good idea
to involve corporate counsel as well.
Listen to this tip
as an MP3!
Listen to Diagram outside firm role early in security incident response process as an MP3 here.
Once the legal implications are squared away, another consideration is choosing an incident response organization based on the type of attack. By using a third party that is experienced in responding to certain attackers, methods or tools, it’s possible it has encountered the attack signatures previously, which makes it more likely it will know exactly what to look for and how to clean up affected systems. It's often difficult and time-consuming to determine the types of incidents an incident response firm has dealt with, so this is where performing your due diligence well in advance is especially helpful. Take the time to research and even speak with a handful of incident response firms personally and ask about their areas of expertise, and make notes that you can go back to should you need a rapid response in the future. You may even want to place a retainer so their services could be available in a specified timeframe when responding to an incident. While this may often result in smaller firms with specialized skills being favored over more well-known organizations, it's often these boutique firms that are best equipped to respond to specific types of attacks.
Another important consideration is internal resources. Some organizations may choose to outsource incident response altogether so they don’t need to maintain the high level of expertise in house. Others simply don't have ample security staff resources and aren't prepared to respond to a security incident. They may also outsource investigations or incident response when internal staff members are unavailable. If this is the case, it may make sense to consider a large firm that can handle a broader range of incidents.
For reference, there are multiple categories of incident response organizations, including large, boutique and even government agencies. Some of the large incident response organizations (Verizon, McAfee Inc., Symantec Corp., Trustwave Inc., etc.) have practices that could encompass most of many organizations’ incident response needs as noted above. There are many boutique organizations (Mandiant, Dell SecureWorks, Langner, etc.) that specialize in certain areas, which means they may be the most appropriate choice to handle advanced or specialized incidents. These companies can be evaluated by reviewing any publically available tools, reports or presentations they support or produce along with speaking with the firms.
More security incident response planning
Establish a better business continuity plan in the face of DoS attacks.
Take a more proactive approach with a security incident response program.
Reporting security incidents
Regardless of an incident being investigated internally
or externally, reporting the security incident may be required by law.
Though incident response and reporting are ultimately separate, enterprises should contact law
enforcement if the incident is serious. If the data involved was payment data, protected health
information (PHI), or personally identifying information (PII), the incident most likely needs to
be reported to one or all of following: state or federal government agencies, the payment card
brands, and the individuals affected. Even if an investigation shows an incident does not need to
be reported, reporting the incident to different agencies or organizations could improve the
overall state of information security and help identify trends. So to help more organizations learn
from an incident, an enterprise should consider contacting US-CERT, a regional CERT, an industry
ISAC or another organization to share incident response data. Assistance with investigating the
incident or notifying other affected organizations may also be needed. If a zero-day exploit was
used in the attack, a report should be filed with the software vendor to fill them in on incident
and attack details.
Conclusion
Planning for an incident response well before an incident takes place is critical to not only
responding effectively, but also minimizing the impact of the incident on the organization. Part of
this planning includes identifying when to bring in a trusted outside partner to investigate an
incident and determining what type of incidents to have them investigate. Establishing these
relationships and procedures prior to an incident will greatly improve the incident response
process.
About the author:
Nick Lewis (CISSP) is an information security architect at Saint Louis University. Nick received
his Master of Science in Information Assurance from Norwich University in 2005 and
Telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University
in 2011, Nick worked at the University of Michigan and previous at Children's Hospital Boston, the
primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and
Michigan State University.
This was first published in June 2012
Join the conversationComment
Share
Comments
Results
Contribute to the conversation