Incident Response Roundup: 5 Facets of Top Performers

Mar 29, 2016 | by RSA

An Aberdeen Group analysis of current enterprise practices for managing privileged access provides a powerful illustration of how better visibility and operational forensics can not only help with more effective incident response (IR), but also point the way to high-impact improvements in specific security practices and technical controls.

The Importance of Qualitative, Risk-Based Analysis

In a nutshell, this particular analysis shows that defenders are virtually always too little, too late, in the sense that a high percentage of data breaches involve compromised or misused privileged access. Credentials are almost always changed less frequently than the time it takes for attackers to gain access to and start to exfiltrate sensitive data. This effectively leaves the window of vulnerability for a data breach wide open. A straightforward Monte Carlo model quantifies how actively managing the credentials for privileged accounts actually reduces the risk of a data breach by 75 percent to 80 percent.

Perhaps the best thing about this type of analysis is that it provides the quantitative answer to the fundamental question every security professional needs to address: How does investing in IR capabilities reduce an organization's risk? Qualitative arguments are important to set the ball, but this kind of quantitative, risk-based analysis is what is really needed to spike the ball and score the point.

The following is a summary of five interesting facets of the top IR performers:

1. Faster, More Efficient Collection of Evidence

This allows analysts, investigators, and responders to spend more time doing analysis, investigation, and response, as opposed to spending the majority of their time collecting data. According to Aberdeen Group, efficient data collection is necessary to redefine the balance of power between attackers and defenders.

2. Faster, More Effective Response

The faster a compromise is detected, the shorter the total time to contain it will be. In turn, this can significantly reduce the total business impact of an incident.

3. Faster Determination of an Incident's Root Cause

By doing this, companies can identify specific practices and technical controls that need to be updated or added, thereby reducing the likelihood of a future compromise. One example of this is a company's privileged access management policies, as discussed above.

4. Essential Capabilities for Other Purposes

Effective IR requires accurate visibility and intelligence about the organization's infrastructure, efficient mechanisms to manage vulnerabilities and patches, and effective communication between the right people with the right expertise. These capabilities are vital for containing a data breach that may have already started or for remediating a critical vulnerability throughout the organization's IT infrastructure.

5. Evidence of Maturity in the Incident Response Function

Aberdeen Group research has found that signs of mature IR functions include clearly defined measures of success, a clearly defined funding model, and a clearly defined reporting structure. Even more importantly, leaders in this area specifically pay attention to making changes in technologies as part of post-IR actions and making changes in the people and process aspects of information security.

Organizations that embody these five aspects of IR will be in a better position to protect their assets in the increasingly vulnerable IT landscape.

Author: RSA

Category: RSA Fundamentals, Blog Post

Keywords: Incident Response, Operational Forensics, Risk-Based Analytics