While it may take some time for the industry to arrive, eventually we should be able to construct a statistical model for normal app use, collect that data, and use it to compare and detect any out-of-character accesses.
* Get back online: Once an attack has been spotted, the affected systems need to be brought back to known good states. This is where safe, secure backups are required; this is where a solid disaster recovery plan becomes invaluable.
"Organizations need to plan, create and be prepared to utilize secure, continuous backups," says Dmitriy Ayrapetov, director of product management at Dell SonicWALL. "Don't forget, the backups must have been scanned for previously compromised systems before being restored, otherwise you open things right back up again."
One option that is getting more attention of late is disaster recovery as a service (DRaaS). "We're seeing a lot of movement from internal recovery models to one in which the cloud is used to provide equivalent recovery capabilities delivered as a service," said Mike Gault, CEO of Guardtime. "When the data is being restored, organizations are demanding that the service providers maintain independent proof that their data has not been changed, manipulated or otherwise tampered with -- this must be achieved through the use of technology capable of delivering such proof."
* Stop the bleeding: While most organizations aren't willing to admit defeat, they will accept the fact that compromise is looming. So, is there anything to be done that can help protect an organization from widespread damage once an attacker is in? Maybe some of the advice from Black Hat can help.
"It is critical to compartmentalize the network with air gaps between the compartments," said Ayrapetov. "Once compartmentalized, organizations must apply the same level of security across each of the compartments to protect them from the other compartments -- just as you would for outside entry of the DMZ."
"The same compartmentalization requirement holds true for the wireless network," added Lieberman.
It is also critical that all information security and proper-use policies and rules are defined properly, implemented properly and regularly double-checked against the configurations. "Some security settings get turned down over time in order to enable business users and applications to operate," said Ayrapetov. "Sometimes it is good to turn up the volume on the view and to change the layout of the dashboard, even if it means seeing a lot of overwhelming data. This is where the compromise may be hiding."
Another tip Lieberman suggested is for organizations to ask themselves how far a breach could travel if it gets in. "Look at a potential breach from within and outside each compartment," said Lieberman. "What are your chances of keeping the infection from spreading beyond one compromised compartment to another compartment?"
* Detect the adversary: A primary goal of the security response plan should be to improve visibility throughout the process. This means leveraging centralized logs, tuning correlation engines so that they present solid information while reducing distracting false positives, and gathering external threat intelligence to help make sense of it all.
Unfortunately, it's not always that easy. There is often a lack of experience within the organization with respect to the entire incident response and incident handling framework. "Most organizations think that they can just 'handle it' when an incident occurs," said Stephen Grutzius, CMO at Cybersponse Inc. during a follow-up interview. "The root of the problem lies in the lack of knowledge including identification of systems; memory collection; malware detection and analysis; forensic imaging and analysis; and multi-department collaboration -- these all prevent effective, timely response."
"Companies should be prepared to create an investigation-ready environment," added Jim Aldridge, a manager at D.C.-based Mandiant. The plan should be formal yet flexible and it should let the smart people work. "The security response team should define playbooks that are meaningful, outcome-based, and provide clear metrics," Aldridge added. "Be prepared to share the information with anyone and everyone that can benefit and/or contribute."
Humans to the rescue?
People are looking for "drop-in security" where they can just install it, set a few dials, and move on, but it is important to separate hype from reality.
And the reality? Systems require human intervention. Scripts and rules are not enough. But, humans can't scale like computers can. The cloud only further exacerbates the problem.
"Most organizations don't have a dedicated forensics expert on staff," added Grutzius. "This makes it extremely difficult, if not impossible, to effectively triage and analyze a security event."
One of the more interesting takes on the human element compared to computer-only systems is Henry's description of a network-speed intelligence-sharing system:
- Human-to-human collaboration with little to no system automation involved is not acceptable as it can't scale
- Human-to-machine collaboration is irrelevant as the translations are not always accurate
- Machine-to-human is not enough either as humans are prone to make mistakes
"We need a machine-to-machine-to-human system," said Henry.
It's important to recognize that the determined/sophisticated attacker is also human and will often possess distinctive characteristics geared toward avoiding detection. The attacker will hide in the network for long periods of time -- trying to extend its reach and gain intelligence on a continual basis as a means to map out the network so it can take down parts of the network and access sensitive information when the timing is just right.
Regardless of how and where humans interact with machines, organizations must be prepared to deal with so much more than the breach itself.
Be prepared for more than data theft
Sure, data theft is a huge deal. But, data manipulation can be just as serious, if not more serious for some institutions. Consider an organization's scientific research data being unknowingly changed to throw a research project off-track. This could potentially destroy any chance the company has to succeed with a project. [Also see: "Is your intellectual property secure? Whitelisting can help secure against advanced persistent threats"]
"These days, you can't just protect the information from being viewed, you also need to protect it from being changed or modified," said Henry.
To this end, data integrity has become a component of a number of industry guidelines, government regulations and other internationally published standards. "Take financial institutions," says Gault. "They are bound to numerous data integrity requirements, so it is critical for these firms to have a secure audit trail around all aspects of their financial transaction histories; an audit trail that will stand the test of time, stand up in a court of law, hold up against regulatory scrutiny; an audit trail that cannot be manipulated by insiders, even when they maintain trusted access to core financial systems."
And of course when you have it all mapped out, it's important to execute the plan. "Companies must put their plans to the test, conducting table-top exercises for key scenarios the companies expect to encounter," Aldridge added.
As with anything specialized and complicated, practice makes perfect. Therefore, successfully getting through the response process takes practice. "You play the way you practice," said Henry during his keynote. "Training exercises are critical -- organizations need to conduct table-top exercises so that when things go bad within the process they know how to react to different situations."
When it comes to security response, it might be good advice to follow the guidance contained in the Ulysses S. Grant quote that Henry referenced at the conference: "The art of war is simple enough. Find out where your enemy is. Get at him as soon as you can. Strike him as hard as you can, and keep moving on."
An additional thought worth considering can also be attributed to Grant: "In every battle there comes a time when both sides consider themselves beaten, then he who continues the attack wins."
Don't give up. Don't give in. Don't get even. Just get back to business.
Sean Martin is a CISSP and the founder of security consulting, research and analysis firm imsmartin. Write him at email@example.com.
Read more about wide area network in Network World's Wide Area Network section.
This story, "In security response, practice makes perfect" was originally published by Network World.