In today's threat landscape it is a challenge to prevent the entire spectrum of attack vectors from impacting an organization. This is especially true with the increased adoption of new disruptive technologies and services such as cloud computing, mobility, BYOD and an increase in collaboration with third-parties who have access to the corporate's network.
On one hand, new business models and corporate IT strategies demand scalability, quicker time to market for goods and services, increased efficiencies and lower costs. On the other, it results in complex security implications because it is not possible to identify all of the attack surface and entry points a malicious attacker could use to gain access to the network.
The above considerations has led to the idea of an inadequacy of the traditional security model based on "security compliance checklists" or "perimeter oriented solutions" and the need for enhanced detection and response capabilities as priority of an overall security strategy. Given the need for a strong cybersecurity posture - an incident response program, plays a more important role than ever before. In fact, with the increased number of security breaches happening nowadays and the damage done in stealing or altering data by malicious actors, it is only a matter of time before a threat-driven Incident Response program becomes a de facto requirement for all organizations.
Inspired by other well-known maturity models, in this article I depict a new framework that is a combination of analytical and operational capabilities, processes, governance and metrics that together can enable all types of organizations to assess, shape and accelerate the continuous process improvements of their Incident Response program and benchmark it against the industry.
Level 1 - Initial (Processes unpredictable, reactive)
- Analytics - Technical skills and analytics/forensic technologies are not in-house;
- Governance - SOPs/IRPs have not been formally defined or documented;
- Measurement - Metrics and KPIs are either not available or captured;
- Operational - Security incidents are handled "on-demand" and processed "as time permits";
- Organizational - Incident Response Analysts have not been hired or formally identified.
Level 2 - Managed (Processes developed but inconsistent, often reactive)
- Analytics - Basic technical skills and technologies exist in-house to confirm whether an incident occurred;
- Governance - Minimal set of SOPs/IRPs exist but are not communicated, followed, tested, updated or known;
- Measurement - Limited set of metrics and KPI are available on request and manually generated;
- Operational - Resolutions of some security incidents are documented, tracked and addressed;
- Organizational - Incident Response Analysts are identified and responsibilities assigned.
Level 3 - Defined (Processes consistent across the organization, and are proactive)
- Analytics - Technical skills, capabilities and technologies are in-house and common IR remediation effort are automatized;
- Governance - SOPs/IRPs are formally documented and followed by the team for most of the security incidents;
- Measurement - Some metrics and KPIs are captured and communicated regularly;
- Operational - Classes and severities of security incidents are formalized and cross-correlated according to the business and risk impact of the asset (and data) involved;
- Organizational - A dedicated IR team exists with expertise on some critical IR functions and trainings are provided regularly;
Level 4 - Quantitatively Managed (Processes measured and controlled)
- Analytics - Advanced technical skills and analytics/forensic technologies tailored on the organization's enviroment are in-house; Artifacts and threat intel data are captured;
- Governance - SOPs/IRPs exist, categorized and well communicated and followed by cross functional business units;
- Measurement - Detailed metrics and KPIs are communicated, disseminated and are accessible; table top discussions and IR exercises conducted across all levels and departments;
- Operational - Security Incidents are resolved consistently and with repeatable methods, root cause analysis approach is used to improve the overall security posture of the organization;
- Organizational - A dedicated IR team exists with in-depth expertise upon specific and tailored corporate technologies , C-Level members are involved and formalized;
Level 5 - Optimizing (Focus on process improvement)
- Analytics - Advanced technologies and up-to-date technical skills and capabilities exist and the classes, the severity and the number of security incidents are systematically reduced over time (and visibility into the network and systems increased); threat intel data are used to prevent, detect and hunt for threats and shared internally and externally;
- Governance - SOPs/IRPs are weighted and regularly tuned/optimized identifying and incorporating lessons learners through "continuous improvement" process (e.g. the OODA loop); SOPs/IRPs are customized for specific asset and threat;
- Measurement - Detailed and solid metrics are defined, regularly reported and aligned with business, risk management and C-Level objectives;
- Operational - Incidents are tracked and the status of their resolution can be monitored at any point considering the asset loss, the threat propagation and the financial impact for each incident;
- Organizational - Cross-functional IR team assembled, C-Level is actively involved in simulations and discussions, legal and compliance exposures are addressed.
By considering certain data breaches, the appropriate level to comply is the highest and it's definitely true that the shift from initial to a more mature posture is a complex undertaking and could take months or even years of continuous work, dedication and financial investments especially for large organizations. However, a threat-driven incident response program may end up to be one of the most cost-effective security measures an organization can adopt once a compromise happens.
Finally, communicating and always tuning tactics and strategies across the chain of command, business units and team members will definitely encourage organizations to shift their mindset, be better prepared to handle a breach at early stage and work cooperatively toward one common goal: reduce the impact and minimize the loss of a breach when it occurs.
Author: Demetrio Milea
Category: RSA Fundamentals, RSA Point of View, Blog Post
Keywords: Converged Security, Incident Response, Measure your Readiness, OODA Loop, SOC