IT professionals, security experts, and researchers have traveled to Sin City this week, in order to attend the annual Black Hat security conference. While many of the presentations and demos at Black Hat will focus on trends and the latest technological advances for those who attack the network and those who defend it, there isn't much on the topic of incident response.
In the grand scheme of things, though it is marketed, debated, and packaged as its own layer of proactive defense, incident response could arguably be called disaster recovery, or business continuity planning. Once an incident has been discovered — either as it happening or long after the fact — steps must be taken to address it, ensure the organization recovers from it, and that it doesn't happen again, but before this can happen a response plan needs to be in place.
On paper, this sounds like an easy thing to do, but the experts and trench workers that CSO spoke to this week at Black Hat were quick to note that this simply isn't true. Incident response is something that is developed and something that changes with the organization over time. Incidents can be technical or physical, and while you can't prepare for everything, it's wise to at least prepare for the most likely threats that your organization will face.
"Companies have figured out that they can invest all they want into defensive strategies, but at some point in time they will fail. Time and time again, that has been proven. Even the best of systems fail, because the longer theyre out there, the more the attackers will learn how to circumvent them," said Ken Silva, the President Cyber Strategy for ManTech Cyber Solutions International.
"So they spend all this time, and all this training, and all this education that they've got, and all the money that they invested in parameter defense, and even internal defenses, but they didn't spend a dime on incident response. Incident response tends to be, in most cases, an ad-hoc thing that's put together as needed; it's almost like a volunteer fire department. The only difference is that the volunteer fire department is properly trained, they have the right processes, [and] they have the right tools."
Developing an incident response plan, and ensuring that it aligns to the organization's goals and needs, as well as existing policy and compliance regulations, can be a daunting. Moreover, the process will require all sides of the business to communicate, which in itself can be quite the task. As one security worker at Black Hat put it, "it's like herding cats."
At the very least, the legal department needs to be involved in order to ensure regulatory and compliance needs are met, business leaders (i.e. everyone at the C-Level within the organization) will each need to ensure that they've got a say in things, and then IT needs to ensure the plan is maintained and updated regularly.
Sign up for Computerworld eNewsletters.