Gartner Blog Network


Time-tested Incident Response Wisdom?

by Anton Chuvakin  |  June 27, 2013  |  1 Comment

Have you ever read NIST 800-3 (!) document called “Establishing an Incident Response Capability”? It was published in … 1991! Some of the CERT/CC guidance on computer incident response (IR) goes straight back to that Morris Worm era (1988). The books that you see on the right, serving as my impromptu monitor stand, have been published since the mid-1990s. There is a lot of security incident response wisdom accumulated over the years. CERT/CC, SANS, NIST, FIRST, ISO – as well as  analysts  and independent consultants – produced piles of content on how to respond to security incidents.

IR-book-stand-small

But how much of it is relevant for you today?

To think about this systematically, let’s try to list some of the forces that affect how we respond to security incidents today:

  • New technologies (specifically, mobile computing and virtualization) affect how and where we look for evidence and what tools we use for the investigations
  • Cloud computing introduced two sources of changes: new technologies (and not just virtualization), but also environments with predominantly 3rd party control and multi-tenancy (you need both permission and ability, if you need to investigate an incident spanning “the cloud”)
  • Furthermore, I’d say that a more global, distributed nature of many organizations (as well as highly distributed locations of their valuable data) affects both investigative tools and processes  – after all investigating 1 machine and 10,000 requires drastically different tools.
  • Regulations, mandates and laws have definitely introduced changes: and not just PCI DSS (with its own mandate for IR response plans and workflows) and breach notification laws. Think “cyber-doctrines” and nation-level incident response…. Oh, fun!
  • Overall, reliance on IT (and now, OT) has been going up, thus raising the stakes of incident response – what used to be “this computer stuff” in late 1980s-early 1990s now in 2013 affects billions of lives and trillions of dollars worldwide.
  • Finally, the adversaries have changed – the key attribute of [some] attackers today is persistence: they WILL keep trying and will aim for ongoing access to the environment. If persistent compromise is the setting, how do you do IR?  Also, if attackers earn their living off successful attacks (whether as salaried “cyber-spies” or “commission-based” criminals), their motivation for both effectiveness and stealth is much higher than before …  This also means there will simply be MORE attackers.

Anything else you want to add? How has YOUR incident response practice changed in the last few years?

P.S. I am going to be using incident response (IR) and incident handling (IH) as synonyms, but will separate computer forensics out (of course!). Anybody got a problem with that?

Posts related to the same research project:

Category: incident-response  security  

Tags: incident-response  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Time-tested Incident Response Wisdom?




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.