Vulnerability Management and Incident Response are terms that are becoming synonymous with Security in general. However, saying it doesn’t make it so. We all hope bad things won’t happen, and we work incredibly hard to mitigate the risks inherent in operating and managing technology today… but it’s inevitable that something will happen. Balancing the needs of your business against the exposure of threats, which is as much art as science, makes vulnerability management one of the most critical pieces of your security puzzle. It’s also one of the hardest to keep up with. For this reason, you must also have a plan and process in place for dealing with incidents. So, we asked what are the elements of a good Vulnerability Management and Incident Response Program and what are the pitfalls that make them fail.
Why Security Incident Response Programs Succeed
Know Your Surroundings...
Regularly run vulnerability scans of known assets for weaknesses and vulnerabilities, cross referencing against asset lists. Use a consistent scoring system or tool to remove biased judgement from vulnerability assessment and fix critical vulnerabilities right away. Keep note of exceptions during scans and have a plan to re-assess low risk vulnerabilities, which may become high risk later.
Automation
Automation is the key to maximizing resources. Automated patching, supported by an extended Reach beyond traditional bounds, can help push patches while GRC tools can provide an exceptional level of value to understand your overall business risk.
Hope is Not a Strategy
As cliché as it is, if you fail to plan, you are planning to fail. Clearly define what constitutes an incident and breach with a clear understanding of the compliance rules and breach notification laws that may apply during an incident. Based on the incident, you’ll need clarity on who responds, who is notified – and how quickly these steps need to happen. When you practice, it will become clear how quickly you can get systems back online, if your backup plans are solid, or if your forensic team is able to conduct their investigations with minimal operational impact.
Learn from Your Incidents
How you learn from your incidents is almost as important as how you responded. Fully investigating the how and why, and reporting to all parties with easy-to-understand reports can help build better bridges between security staff and other business units, creating a more effective and collaborative security program throughout your organization.
Why Security Incident Response Programs Fail
Too often, organizations focus on only one phase of the security incident cycle, without recognizing that each phase is part of a larger circle. Let's look at some of these failures:
Analysis Paralysis: Some organizations spend all their energy crafting the perfect information security strategy. They carefully weigh pros and cons of all approaches, evaluate products, and account for objectives of all constituents. Committees are formed and reorganized. No agreement is reached. Best practice frameworks are consulted and control mappings are created. Without being able to finalize the plans, such organizations cannot proceed with the implementation of a strategy.
Failure is Not an Option: Some organizations invest most of their time and money in purchasing and deploying top-of-the-line security tools. A Data Loss Prevention (DLP) project is in the works. Employees are sent to product training. Compliance questionnaires are filled out. Yet, there is no clear relationship between the deployed technologies and the risks facing the organization. A vulnerability management program is in place, but the organization struggles to keep up with security patches. No processes exist to detect when resistance mechanisms fail to block attacks. In strategies, failure is an option.
Danger Will Robinson: Some organizations deploy numerous intrusion sensors to discover malicious activities. Many intrusion alerts are issued for the attacks that would have been blocked by defensive measures anyway. A Security Information Management (SIM) project is in the works. The high number of alerts makes the organization feel good about its "visibility" into the environment. Reports are regularly generated to show the number of exploits or viruses detected in a given day, week and month. When confirmed intrusions are detected, no one is quite sure how to deal with the them.
Fire, Ready, Aim Some companies have experienced incident handlers. They utilize a variety of free and commercial IR and forensics tools. The handlers are always fighting fires and work long hours. Sometimes they have no opportunity to recommend post-incident improvement measures before having to deal with another breach. When the recommendations are made, they are rarely implemented. The organization is concerned that the rate and severity of incidents seems to be growing faster than it can respond to them.
Share and enjoy...
References
______________________________________________________
“Once more unto the breach, dear friends, once more;”
About Rick Ricker
An IT professional with over 23 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
References
______________________________________________________
“Once more unto the breach, dear friends, once more;”
About Rick Ricker
An IT professional with over 23 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
No comments:
Post a Comment
Thanks for your input, your ideas, critiques, suggestions are always welcome...
- Wasabi Roll Staff