Anton Chuvakin

A member of the Gartner Blog Network

Anton Chuvakin
Research VP
2+ years with Gartner
14 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Coverage Areas:

Security Incidents vs “IT Problems”

by Anton Chuvakin  |  August 12, 2013  |  8 Comments

Lately, I’ve been noticing some vile examples of treating information security incidents in the same way as IT “issues.”

Think about it: “my PC is slow today” vs “my $800 million wind turbine schematics are stolen today” … these are TOTALLY the same and should be handled by the same people in the same way.

People, what kind of stuff are you smoking? This is totally and certifiably crazy!

One example comes from a recent conversation with somebody who said that the sole focus of his security IR program is to “restore IT service.” So, if the attackers steal all his payment data, employee data, deploy bots [well-written ones, that don’t disrupt his IT service], change corporate records, snoop on their executives’ private messages, etc, etc, etc , his “incident responders” won’t even get out of bed. Seriously? However, if a user reports that something (probably malware) opens too many windows, and that interferes with work, they will perform their “reimage and restore” magic.

In any case, I am shocked that I have to explain it, but let me still try:

  • For those who like to preach the “security and business alignment” theme, think of security IR as responding to a business incident,” not an IT issue.
  • For those stuck in compliance-land, think of a data breach. Does it reduce your IT service? Probably not. Will it affect your organization? Oh, yes. Therefore, response becomes essential.
  • For those ITIL lovers, keep loving it. Just don’t confuse the word “incident” in ITIL with a security incident. This is “lead pipe vs lead guitar” all over again…
  • For those with LEO thinking, think of security incidents as … computer crimes. Some are and many aren’t, but *crime* is not thought of as an IT problem.

Now, I am not advocating more silos and walls between IT and infosec (well, sometimes you do need walls – think rogue sysadmin investigations). IT helpdesk often serves as a useful “intrusion detection system” that can reveal anomalies to a security team. Similarly, remediation activities will involve opening tickets, engaging with system administrators, making system changes, etc. Collaboration and cooperation though is NOT the same as equality.

The difference between IT issue resolution and security incident response is HUGE and UNAMBIGUOUS. Keep that in mind!

Posts related to the same research project:

8 Comments »

Category: incident response security     Tags:

8 responses so far ↓

  • 1 Adrian Sanabria   August 13, 2013 at 2:15 am

    I often encourage and teach IR perspective by always seeking the worst case scenarios. Then pull it back and use experience, public breach info and sister/acquired/parent companies or consultants to help determine which are most likely.

    It qouldn’t

  • 2 Adrian Sanabria   August 13, 2013 at 2:20 am

    Oops.

    …It wouldn’t surprise me if the same person you speak of also oversaw a purchase of some large forensic suite, because “that’s how you IR”, right?

    Too many nod and make the right noises – even buy some of the right stuff, but don’t have a clue.

  • 3 Christophe Pradier   August 13, 2013 at 8:55 am

    ;-)
    The problem is when “my 80,000 PCs are slow today” compares with “my $800 million wind turbine schema *might* have been stolen today”. That’s a harder one to prioritize.

  • 4 Anton Chuvakin   August 13, 2013 at 3:01 pm

    @adrian Thanks for the comment. A worst case scenario approach is sensible, but occasionally will lead to overspending, right?

    BTW, the same person probably never bought a forensic suite since investigation is not essential to restoring service faster (in his mind). If anything, investigations delays service restoration :-(

    @christophe Thanks for the comment. My point was not the priority , but the ownership and handling methods. These would still be different, even if 80k PCs….

  • 5 Dario Forte   August 13, 2013 at 4:00 pm

    @anton: I certainly agree with the ITIL point. There are many conceptual difference between the way ITIL consider an incident it and the way “Security” looks at the same topic. We are currently editing the new ISO 27043 and 27035 and we are doing our best to finally draw the boundaries. Just think about it: ITIL’s definition of RFC is different from IETF. Which one is right? :)

  • 6 Survey: How Many Security Incidents Have You Had Over the Last 12 Months?   August 13, 2013 at 5:07 pm

    [...] ← Security Incidents vs “IT Problems” [...]

  • 7 Anton Chuvakin   August 13, 2013 at 5:10 pm

    @dario Thanks for the comment. Do you know anybody who promised me an advance copy of those ISO docs? :-)

  • 8 Dario Forte   August 14, 2013 at 8:35 am

    This guy is getting old :) i will talk to him !