Security vulnerabilities are present in virtually every network environment, and various threats are out there, looking to exploit these weaknesses for ill-gotten gains. What an organization does to not only prevent but also to respond when tangible security events do occur, can determine its short-term future and long-term viability.
Incident response is the process of detecting impactful security events, taking the necessary steps for incident analysis, and then responding to what happened. Incident response is a critical aspect of information security but it's lacking in many organizations. The good news is, there's nothing magical or mysterious about this process if you plan ahead and have the proper incident response tools to help guide you through the process.
Aside from management buy-in and having a documented incident response plan, one of the most important things an IT or security professional can do is use the proper incident response tools to help prepare for and respond to security incidents. Given the information they provide, the analysis they perform and the reports they can create, these cybersecurity tools should be implemented well before any incidents occur. Most organizations have general security controls already in place that can help with the incident response function, especially in terms of logging and alerting. However, there are dedicated tools that can help step you through incident response workflows and provide all the details necessary to make informed decisions.
What tools does your organization need? Well, it all depends. Certain organizations follow the OODA loop, which can provide guidance on what tools are needed and when. A military-derived approach to incident response, the OODA loop is a methodology that involves four steps when confronted by a threat:
- This is the visibility into network traffic, operating systems, applications and so on, which can help establish a baseline of the environment and provide real-time information into what's happening before, during and after a security incident.
- This is the detailed contextual information and intelligence on the threats that exist and what attacks they're carrying out.
- This refers to real-time -- proactive, happening now -- and forensic -- reactive, after-the-fact -- information on threats and anomalous behaviors that can help the security team make informed decisions on how to respond.
- These are the steps, or actions, to take to address the threats, minimize their risk and impact to the business, and bring things back to normal.
The OODA loop isn't a rigid set of incident response requirements. Rather, it's an approach security teams can integrate with their existing incident procedures to minimize the impact that security incidents may have on the organization.
Similar to security policies governing such things as passwords, data backups and acceptable usage, the incident response function sets expectations, details how things are done, and uses the appropriate technologies to ensure that procedures are properly addressed and enforced. This provides guidance on incident response tools and how they can help throughout the incident response process. The security team can use this information when selecting specific incident response tool vendors and to provide insight into how the organization's overall security program might be improved.
Incident response tools and the OODA loop
The days when firewalls, antivirus software and strong passwords addressed most security risks are gone. Organizations need technologies that can help provide visibility and control in an automated and repeatable fashion to ensure that the network remains resilient and all aspects of security are preserved. This goes for both preventative security measures, such as multifactor authentication and granular access controls, as well as more reactive aspects of security, such as monitoring, alerting and system quarantining.
Digging further into incident response tools, there are many products that can assist with response efforts across the OODA loop. Most tools will fall into one of the following categories, and certain tools can be used in multiple OODA loop phases:
- netflow and traffic analysis;
- vulnerability management;
- security information and event management (SIEM);
- endpoint detection and response (EDR);
- security orchestration, automation and response (SOAR);
- firewall, intrusion prevention and denial of service (DoS) mitigation;
- forensics analysis; and
- awareness and training.
Looking at this from the perspective of integrating these technologies into your incident response procedures, consider the following OODA loop integrations and product suggestions:
In this part of the OODA loop, you can use incident response and security tools to create a baseline, establish what "normal" looks like, and seek out anomalies. Given what's involved, this category encompasses the greatest number of tools:
- Data classification, data loss prevention and cloud access security broker (CASB), including offerings from McAfee, Symantec Corp. and TITUS.
- EDR and next-gen antimalware, including offerings from Carbon Black, Crowdstrike and SentinelOne.
- Intrusion prevention systems, including offerings from Cisco, McAfee and Palo Alto Networks.
- Netflow software, including offerings from ManageEngine, Nagios and Paessler AG
- Network traffic analysis tools, including offerings from Awake Security, LiveAction and SolarWinds.
- SIEM tools, including offerings from AT&T Security, Exabeam and LogRhythm.
- Vulnerability analysis and management tools, including offerings from Tenable, Qualys and Rapid7.
As with most aspects of security, the more information you have the better. That's why these types of tools are so critical. They allow you to become familiar with your network and determine what might be at risk before anything happens.
In this part of the OODA loop, incident response tools can help provide information and context regarding the severity of security events that have occurred. This can help you with the scope and impact, which can lead to better decision-making in the next phase. These tools can be broken into the following groups:
- Threat research and intelligence, including offerings from AT&T Cybersecurity, IBM and Recorded Future.
- Investigation and response, including offerings from FireEye, RSA Security and Uplevel Security.
Although incident response tools can help you reach this point, ultimately this phase of the OODA loop involves people; for example, a security committee and/or incident response team as well as executive management and legal. You will be making critical business decisions regarding what to do -- or not do -- in terms of your response efforts. The most important piece goes back to the first two phases of observing and orienting to ensure you have all the necessary information in order to make better decisions. In this phase, you might reference security policies and standards and even contracts and compliance requirements to ensure that you're doing what you said you were going to do. The important thing is that you come up with a clear plan for your remediation efforts. Going back and interacting with your incident response and related security tools may be in order, depending on the situation.
This is the phase of the OODA loop where you get things done. Similar to the previous phase, when acting on your decisions, you'll be using your incident response and security tools to get things done. Tools that can help in this regard include:
- Antimalware software, including offerings from Kaspersky Lab, Malwarebytes and Webroot.
- Backup and recovery, including offerings from Acronis, Commvault and Veeam Software.
- Forensics evidence gathering and preservation, including offerings from AccessData, EnCase and The Sleuth Kit.
- SOAR tools, including offerings from Splunk, Palo Alto Networks and CyberSponse.
- Information and access management systems, including offerings from Micro Focus, Okta and One Identity.
- Patch management, including offerings from Ivanti, PDQ Deploy and Quest KACE.
- Security awareness and training, including offerings from Cofense, Proofpoint and The Security Awareness Company.
In addition, you might also use your SIEM and vulnerability management tools to ensure that threats have been eliminated and vulnerabilities have been addressed. Likewise, if you're using a change management system, you may need to use that to follow your internal requirements and document what has been done.
One of the most important aspects of network and security management is understanding the network and what's normal. While that sounds good in theory, it's a practice that's hardly ever mastered. Many organizations don't have a current network diagram, much less fully understand what's happening on the network that could be considered normal or abnormal. It's also imperative that the security team fully understands the business' needs so they can start collecting reference data in order to establish that critical baseline of what's normal.
How to choose the right tool for your needs
Each organization's incident response needs will certainly be unique. But just because an incident response tool seems to fit the bill now, that doesn't mean that it will over the long haul. There are many considerations and questions to ask before investing time, money and effort into these products. The most important thing is to understand the challenges and risks the business is trying to address. Rather than simply procuring incident response tools that may or may not be what the organization needs, the security team must determine what's best for the business. This involves asking questions such as:
- What is the organization trying to accomplish? What requirements need to be met to reach these goals?
- What is the organization required to protect? What are we protecting it from?
- Does the organization need to protect the entire network or just a subset of critical systems?
- What challenges does the business currently have in terms of visibility, control and expertise that could be mitigated by the right tools?
- What type of reporting does the organization need for executive management, audit and so on? Will these tools help the security team meet these requirements?
- How will new tools impact the business' current network complexity and security posture? Does the organization have the internal resources necessary to properly implement and administer these tools?
- How will security policies, standards and plans need to be adjusted? Ditto for IT and security workflows and processes?
- How will the organization measure success? Will the tools themselves help in that regard?
- How will incident response tools complement or hinder vulnerability and penetration testing efforts?
- What is the budget and will it be sufficient to meet both the upfront and ongoing costs of these tools?
Whether or not your security team is taking the OODA loop approach, over time, it will be necessary to tweak incident response tools and overall methodologies. For example, as the security team discovers the patterns and nuances of network traffic and system behaviors, they will need to fine-tune the tools in use to make sure they're providing the information needed. They will also need to determine if the data being collected helps or hinders decision-making when responding to incidents. They may need to establish new security standards or adjust security policies and procedures accordingly, and update the organization's formal incident response plan as the processes and tools evolve.
The security team can help ensure a successful incident response process by asking vendors the following questions:
- How will your product or service better protect the organization's network?
- How can your product save the organization time, effort and money?
- What are your product's components? What does each one do?
- Beyond security oversight and incident response, what compliance regulations does your product address?
- Can you provide use cases or specific case studies of how your tool has helped other organizations in a similar situation?
- What versions of your product are available? Are they on-premises or cloud-based?
The security team should ask for reference accounts in the organization's industry and talk to those people directly. They should also seek out trial versions or, if time permits, do in-depth proof of concepts with certain vendors to see how their incident response tool is going to work in the business' unique environment. They should also discuss ongoing support and training with prospective vendors and ask them what key partnerships they have in terms of integrating with other security tools. Such integrations are beneficial because they can take advantage of the organization's existing security technologies. The security team should also ask vendors how they differentiate themselves from their competitors.
With all the rebranding and recycling of products, services and approaches to security that have occurred the past couple of decades, very few things are truly innovative in the security field. Still, some modern incident response tools can help take the pain out of security oversight and response efforts.