Nmedia - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to buy the best incident response tools for your enterprise

Incident response tools are an essential element of any enterprise's incident response management system. This publication helps security pros identify the best IR tools for their enterprise.

It's not what happens to you but how you react to it that matters. This adage is said to date back many centuries but still serves us well today. Looking at it in terms of information security attacks and breaches, stuff is going to happen. Only the unwise have yet to acknowledge that. The goal of any information security program should, therefore, be to detect and respond appropriately to minimize the impact of a breach. That's it -- nothing more, nothing less. And that means employing the most effective strategy and incident response tools possible.

Years ago, security professionals admitted to not being all that confident in their incident response (IR) capabilities. I'm pretty sure that's still the belief. It's certainly the reality based on what I'm seeing in my work and what we see in the headlines. Furthermore, the 2016 SANS Incident Response Survey found that 65% of respondents believe that a skills shortage is an impediment to incident response efforts.

Incident response tools explained

Security incident response is no doubt one of the greatest weaknesses in any organization. It certainly seems like there's a need to automate this process.

The only way you're going to be able to respond effectively to security incidents is by having good information. How do you get good information? It's all in your incident response tools, security controls and the visibility they both provide. How do you manage that information, especially when the going gets rough during a security incident? Well, you can turn to a relatively new industry segment called incident response management platforms. IR management platforms are a good way to shore up your enterprise's incident response management weaknesses.

How IR management tools work

Through automation and orchestration, IR management platforms allow security teams to minimize the time and resources required to handle security incidents.

Many vendors provide tools with better capabilities for handling security incidents on a much broader scale instead of digging in and investigating one issue at a time in a serial fashion. From mobile to the cloud and pretty much everything in between, these incident response tools provide abilities much like a security operations center to analyze and remediate network events that are most often missed or skipped over due to a lack of internal resources.

Additional automated analysis of the events uses threat intelligence resources from cloud services provided by vendors or other sources to determine which steps can be taken to remediate the issue in question. Finally, remediation is carried out on the affected system(s), and the incident is deemed resolved.

Be it locally, on premises or in the cloud, there's simply too much for you to know and keep up with in order to determine the when, what, who, where and how of security incidents. It's all about automation where possible, and that's where these IR management platforms shine.

IR tool features

Incident response tools work with existing security controls to gather the necessary insight for response via system logs, NetFlow, identity information and endpoint alerts to evaluate all security-related anomalies across the network environment. Specific threats and exploits investigated by these tools can include the following:

  • Phishing
  • Malware infections
  • Password attacks
  • Data leakage
  • Internal abuse of privileges

IR management platforms automate the following steps, which should be part of a well-documented incident response plan:

  • Detecting or receiving security alerts on events deemed worthy of response efforts.
  • Investigating what happened through active details and forensic artifacts.
  • Remediating incidents through quarantine, patching, re-imaging or adjusting security controls.

Recently, I worked on a security review project that involved what I would've considered a top-notch security environment. And guess what? It was. Still, there were numerous flaws associated with egress and ingress points, information flows and endpoint connectivity that were overlooked -- not to mention an incident response plan that met compliance checkbox requirements but had minimal real-world value beyond that. There were, of course, limited resources to tend to incident response. These are the types of gaps that incident response tools help close.

With the evolution toward incident response management, are we throwing in the towel and saying that criminal hackers have the upper hand and that we just need to focus on reactive security? It certainly seems that way. I've always been an advocate of fixing the handful (20%) of known flaws that are creating the majority (80%) of the security problems -- the stuff that the Verizon "Data Breach Investigations Report," among others, outlines year after year. It's nothing more than the basic principles -- the low-hanging fruit -- that have been around for decades, but so many people keep looking past them.

Too many organizations, both large and small, don't even have a documented incident response plan, much less a full-fledged platform or up-to-date IR tools. This needs to change.

Security incidents are going to happen, and security professionals must accept that fact and then do what it takes to manage the incidents as effectively as possible. The incident response consultants and forensics investigators will certainly love getting called in to figure out what happened in a breach and how to clean up the mess, but that's a situation enterprises want to avoid if at all possible.

Organizations need to get their arms around basic security -- the things they know are creating the majority of their risks. For many organizations, though, it could be too late to reasonably address these things, so a reactive approach is in order: There's no doubt that most organizations can benefit from IR management tools.

The bottom line

Should security teams immediately invest in incident response tools? My recommendation is to investigate products, but first, fully understand your risks and how such a tool could fit into your overall security program. Perhaps you just need to tweak a few things internally. That could negate the need for a tool. Or, like I mentioned above, your environment may be too complex or politically charged to go back and fix the things that can help prevent security breaches.

In another two to three years, the security field will be talking about yet another new category of security products marketed from a slightly different perspective; that's normal industry evolution. If anything, these new iterations of traditional security controls will help us get better, and that's the direction we need to be headed in.

About the author:
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 27 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. He has written 12 books on information security, including Hacking For Dummies, and can be reached at www.principlelogic.com or LinkedIn.

Next Steps

Learn the main, and alarmingly basic, causes of data breaches

How to help prevent security incidents through training

Learn to use your IR policy to improve collaboration

This was last published in November 2016

Dig Deeper on Information Security Incident Response-Information