Security is a combination of protection, detection, and response. Nowadays, incident response (IR) products and services are becoming more common. Security teams are incorporating them into their arsenals, because they recognize that protection and detection aren’t enough - you must continually reassess your security posture in the face of an ever-changing threat landscape.
At a tactical level, security is a combination of people, process, and technology. Protection systems are mostly technology, with some assistance from people and process. Detection requires more-or-less equal proportions of people, process, and technology. Response is mostly done by people, with critical assistance from process and technology.
In 2008, usability guru Lorrie Faith Cranor wrote, “Whenever possible, secure system designers should find ways of keeping humans out of the loop.” Many of our best security wins come from automating security to remove the user: automatic updates and antivirus, for example.
But because people are essential for response, you can’t automate it. Attacks, networks, security environments and regulatory environments are all different. Organizations differ, and political and economic considerations are often more important than technical considerations. IR needs people, because successful IR requires human intelligence.
Cranor adds: “There are some tasks for which feasible - or cost-effective - alternatives to humans are not available. In these cases, system designers should engineer their systems to support the humans in the loop, and maximize their chances of performing their security-critical functions successfully.” IR needs technology that aids people, not technology that tries to replace them.
People-centric security
Think about this people-centric way of doing security by using a military concept called ‘OODA loops’: a way of viewing real-time adversarial situations. OODA stands for “observe, orient, decide, act,” and the concepts have been applied to everything from business negotiations to litigation to strategic military planning to boxing - and computer and network incident response.
In real-time adversarial situations, speed and efficacy are both essential. Combatants are constantly going through OODA loops in their head. If you can do yours faster than the other guy, you have an enormous advantage.
Use these four steps as an outline:
- Observe: knowing what’s happening on the network in real time. This includes real-time threat detection information from IDSs, log monitoring and analysis data, network and system performance data, standard network management data, and even physical security information. An IR team needs to be able to operate across the entire organization.
- Orient: understanding what it means in context, both in the context of the organization and the context of the greater Internet community. What’s going on in an organization often matters more in IR than the attack’s technical details.
- Decide: figuring out what to do at that moment. IR decisions often involve executive input, and all decisions must be defensible after the fact and documented. Both the regulatory and litigation environments have gotten complex, and decisions need to be made with defensibility in mind.
- Act: being able to make changes quickly and effectively on our networks. An IR team needs broad access along with some automation - security will come from audit rather than access control. And they need to train repeatedly, because nothing improves someone’s ability to act more than practice.
Pulling all of these tools together on an incident response management platform is what will make IR work. Start thinking about how we can be resilient in the face of attacks. This resilience comes from a combination of elements: fault-tolerance, redundancy, adaptability, mitigation, and survivability. And a big part of it is incident response - it’s the key to resilience.
The goal is to bring people, process and, technology together in a way we haven’t seen before in network security.
Bruce Schneier is CTO at Resilient Systems
This article first appeared on Telecom Asia Security Insights May 2015 edition