Remember that incident definitions post? The definitions vary so much that some companies essentially have an incident (or more) every day while others seem to never have one (and thus don’t focus on incident response tools and practices). It is amazing how some organization treat incidents as common (hey! there is one going on now!) and take action WHILE many others are still under “it can’t happen to us” malaise (actually, it probably already did).
One dimension of this gap is related to the old theme: security “haves” and “have notes” (that I mentioned here and here). It appears – and that is a hypothesis at this point – that the area of security incident response is one where said gap appears to be very wide. The leaders (the “haves”) and the laggards (the “have-nots”) are Universes apart… This is partly a matter of threats (who is after your data and systems?) and available security resources. Yes, there is a huge difference between the company that has 0.5 of a full-time security guy and one that has 12 full-time malware reverse engineers on staff (you can probably imagine how many other security professionals they have if their reversing staff alone fills up a mini-bus).
However, this gap is not only in the wallet, but also in the mind! As I mentioned in “Bye-bye, Compliance Thinking. Welcome, Military Thinking!” and “Alert-driven vs Exploration-driven Security Analysis”, this “mind gap” makes some laggards simply coast on luck until they are compromised (and discover it) and then “run on panic” for a while. And then go back to luck.
The leaders know that “today, and into the foreseeable future, American [A.C. – not really just American, of course] companies will face a motivated, technically sophisticated, and well-resourced adversary intent on depriving businesses of their wealth and intellectual property.” (source) The leaders, or “the haves”, practice ongoing IR, understand the role of intelligence, “hunt”, build analytics, etc. The laggards wait for the call from the credit card company or the FBI.
Now the question remains: how do we learn from the “top shelf” organizations, the Enlightened Few, and make this knowledge *usable* by the rest of the organizations?
In any case, why am I talking about this? Oh, it’s because I have another DRAFT maturity table for your review, this time focused on security incident response:
|1||Ad hoc IR, or no plans, “reimage and go”||No IR team, no IR roles, ad hoc response|
|2||Untested, but filed IR plans (usually high level), tools||IR team defined, not tested|
|3||Tested and refined plans and procedures||IR team with processes defined|
|4||Integrated IR and monitoring, hunting for incidents, refining plans after incidents||Virtual or full-time IR team, linked to monitoring, balanced skills|
|5||Integrated IR, monitoring and intelligence, “continuous IR”, incident discovery||A standing, dedicated CIRT, separate forensics and reversing teams, hunters|
What do you think?
Posts related to the same research project:
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- My Next Research Area: Incident Response
- All posts tagged security incident response