Four Approches
Threat
Intelligence
to Defined
Critical Incident
Response
White
Paper
Executive
Brief
Tables of Contents
Selecting the Best Fit for the Enterprise
Introduction3
3
Assessing
the
Four
Approaches
to
Incident
Response
4
Benefits of On-Premise SIEM Solutions—Security and Privacy
Making
Most
of Incident
Response
Capabilities
6
Benefitsthe
of an
MSSP
— Efficiency,
Scalability
and Intelligence
4
Benefits of On-Premise SIEM Solutions—Security and Privacy
7
Appendix8
Risk Assessments
Four
Approaches to
forCritical
HealthIncident
Care Providers
Response
2
Selecting the Best Fit for the Enterprise
Even those in the security business know preventive security
measures are not enough to stop malware infiltrations and other
security threats completely. Security technology fulfills a vital
role in the IT infrastructure, but it’s only a matter of when - not
if - an organization is breached in some manner. A data breach, a
malware outbreak, a successful hacker infiltration, a DDoS attack…
many have experience trying to slay one of these cyber dragons,
while others have yet to deal with one, or may not even know
they’ve suffered from an incident.
Critical Incident Response is
the security industry term
for mitigating a cyber threat.
Security experts have long
advocated that detailed
incident response plans be
created, maintained and
practiced to strengthen
an organization’s ability
“It does not do to leave a live dragon out of your calculations,
if you live near him.”
to detect and mitigate an
attack. Not every enterprise,
– J.R.R. Tolkien, The Hobbit
When calculating security spending, most organizations emphasize security
controls to a much greater extent than monitoring and incident response.
Bringing more balance to this spending ratio and a more proactive approach
to critical incident response could mean the difference between crippling
after-effects of a breach and a manageable effort to thwart attacks and properly
investigate.
however, has the same
requirements, budget and
in-house security resources.
NTT Security research has
identified four primary
ways organizations typically
approach incident response:
• No response plan and no
external support from a
Aligning Critical Incident Response to the Organization
Taking a proactive approach to incident response can drastically improve an
organization’s security posture. Security frameworks and some compliance
mandates also require organizations to have a security program and an incident
response plan. While every enterprise may strive for a mature incident response
plan backed by a skilled security operations team, this is not a realistic goal for
many organizations. Is it possible to still identify, contain and mitigate an attack
without the most robust incident response plan and team in place? Yes, to a
degree.
third party.
• No response plan, but
keep a third party on
retainer for response in
the event of a breach.
• Have a response plan that
is still maturing; hire a
third party to evaluate the
incident response process
and remain on standby to
Successful incident response largely depends on creating a customized incident
response plan that is realistic and manageable — then training and preparing
employees and practicing the steps outlined in the plan.
mitigate threats.
• Maintain a mature
incident response plan, a
skilled security operations
The First Step in Critical Incident Response—Know your Organization
team and retain thirdparty support when
“Know thyself.”
needed.
– Ancient Greek aphorism
Throughout history, military commanders have known that highly attuned
self-awareness is one of the best defenses against attacks. Armed with the
Four Approaches to Critical Incident Response
3
knowledge of specific weaknesses, organizations can work to outsmart the
enemy’s plan of attack. The same principles can drive an effective incident
response plan, customized around the most critical data and systems, for a
particular organization.
Security frameworks and compliance mandates can be helpful guideposts for
establishing a critical incident response capability, but they are not meant for
cutting and pasting into a company’s plan. Similarly, industry checklists and
ISO standards provide helpful insight into common vulnerabilities, but do not
complete the picture. The security team should study the guidelines and standards that most closely affect the business, then go a step further to identify
the specific and customized points of intersection with the organization’s IT and
business operations.
Analysis by NTT Group
shows that 74 percent of the
organizations NTT Group
supported with incident
response engagements
during 2014 had no
policy, plan, procedure
or contracted support to
address a major incident.
Regardless of where an organization falls along the continuum of incident
response capabilities, there are options to be as prepared as possible to
contend with a security breach. The four approaches outlined below can help an
organization determine where it stands and what it can do to be proactive.
Assessing the Four Approaches to
Incident Response
Level one – no response plan, no external support
Having no plan for critical incident response is not advisable, but unfortunately,
this approach is far too common. Many organizations do not have the time or
resources to develop or test response plans. If a qualified third party can be
engaged to either develop a response plan, or provide support in the event of
an incident, that can help prevent the worst effects of a breach. However, many
of the same organizations that lack an incident response plan also lack budget
for external incident response management or support. Analysis by NTT Security shows that 74 percent of the organizations NTT Security supported with
incident response engagements during 2014 had no policy, plan, procedure or
contracted support to address a major incident.1
Even without budget for incident response, there are proactive measures
to take. For example, an organization can identify an internal resource that
recognizes and accepts the real risk of a breach. This resource can make sure
the company is following the industry and federal guidelines required. And
the organization can at least talk with a third-party incident response provider
about where its logs are located, how far back they go, how easily they can be
accessed and other capabilities that will be quickly needed during a breach. For
very little investment, a third party can conduct a simple discovery that helps
prepare the organization to answer questions that arise following an incident.
1 2015 NTT Group Global Threat Intelligence Report, p.6
Four Approaches to Critical Incident Response
4
Level two – no response plan, but engaged with outside support
Some organizations realize the value of incident response, even if they lack
the capabilities to create and maintain a response plan internally. These businesses proactively invest in third-party incident response support. Typically,
organizations which have smaller in-house IT resources will contract with
incident response providers who specialize in supporting organizations without
response capabilities. This can be of great value, but the contracting entity must
realize it still has a role to play should an incident occur.
For example, when a security breach is detected, what are the protocols for
capturing and preserving vital attack data? How will the organization engage at
a tactical level with its incident response provider in terms of providing essential
logs, packet captures and volatile memory dumps while knowing when to and
when not to run security tools that can taint evidence? A structured working
agreement should be created and periodically reviewed and tested to ensure
both parties are poised to detect, mitigate and contain a security incident.
Why a CSIRT? Learn what
a critical security incident
response team brings to an
organization. Read this NTT
Security Blog:
https://www.solutionary.
com/resource-center/
blog/2014/06/why-a-csirt/
Level three – working to strengthen an existing response plan and
hiring a third party to evaluate and support incident response
Over the past year, NTT Security has identified a positive trend related to how
organizations mitigate the impact of threats.2 Some organizations have started
to invest more heavily in incident response capabilities. These organizations
have a renewed focus on the development of plans, processes, procedures,
tools and education related to incident response. Many enterprises find value
in engaging third-party providers for continued support while they are building
and testing response capabilities in-house. Qualified third-party incident
response providers bring a wealth of technical security expertise to incident
response, especially when it comes to handling forensics, which can involve
specialized tools and skills. They can also evaluate the organization’s current
incident response plan, identify gaps and assist with planning, procedures and
policy development.
When a third-party incident response provider is on retainer and familiar with
the organization’s incident response procedures, it becomes another security
tool in the arsenal. Acting as the Computer Security Incident Response Team
(CSIRT), the third-party experts augment the efforts of internal responders to
contain computer security incidents. This extended team helps the organization
prevent and mitigate major incidents and supports the protection of valuable
assets. It functions as a main technical component within the organization’s
incident response plan.
Even when engaging a CSIRT to support incident response for the organization,
the working relationship should serve the unique needs of the business. No two
enterprises are likely to operate in the exact same manner, so CSIRT operating
agreements should reflect this uniqueness.
2 2015 NTT Group Global Threat Intelligence Report, p. 42
Four Approaches to Critical Incident Response
5
Level Four – maintaining a mature incident response plan with external
support as needed
Few organizations have the capability, talent and financial backing to define,
build, refine and maintain an effective incident response capability on their own.
It requires a consistent effort to monitor security threats and repeatedly practice incident response procedures, refining them as needed to best protect the
enterprise. Even in cases where incident response capabilities are successfully
handled by an internal team, NTT Security still observes circumstances where
special expertise is needed to support advanced response requirements.3 For
instance, many internal incident response teams do not maintain expensive
forensics toolsets required to identify the root cause of a breach. Nor do they
have the necessary skills and experience to ensure that forensic evident can
stand up in court. Some organizations will engage a qualified third-party incident
response provider to assist in these situations.
The advantages of engaging
a qualified CSIRT on retainer
include:
• A centralized point of
coordination for handling
IT security issues within
the organization.
• The use of expert incident
response resources for
events that require a
Making the Most of Incident Response
Capabilities
Organizations are starting to realize that security technology investments run
by system and network administrators cannot always protect business assets.
By selecting the best possible approach to incident response they can afford,
enterprises should spend dramatically less time reacting and also help significantly reduce the impact and cost associated with security incidents.
An effective incident response plan will define the following activities before an
attack occurs:
••
Identify the incident response team, along with roles and responsibilities.
••
Document contact information for relevant vendors and third parties, such
as ISP tech support, and define how they fit into the process.
••
Identify any required skillsets which do not exist within the organization and
determine how missing skills will be obtained and utilized from a qualified
third party.
••
Define processes for effective communication during incidents.
••
Set criteria for declaring when an incident has started and ended.
A critical incident response team and capability cannot be developed and made
operational overnight. Creating the plans and processes for the team is a significant endeavor. It is, however, worth the effort. Proactive implementation of core
incident response capabilities can improve an organization’s ability to detect,
investigate and respond to incidents—leading to faster attack mitigation and
containment and an overall reduction in losses resulting from a security breach.
specialized tool set, such
as forensics investigations.
• More efficient, effective
incident response and
recovery, which directly
reduces the financial
effects and softens the
impact (brand/reputation)
of an attack.
• Knowledge and
understanding of legal
issues concerned with
proper evidence handling
along with competent
computer forensics
analysis. This ensures
evidence is prepared in a
manner that can stand up
in potential litigation.
• Access to emerging
developments in the cyber
security field as well as a
plethora of intelligence
data to correlate incidents
to actor groups and recent
behaviors.
3 2015 NTT Group Global Threat Intelligence Report, p. 43
Four Approaches to Critical Incident Response
6
NTT Security seamlessly delivers cyber resilience by enabling organizations to build high-performing and effective
security, and risk management programs with controls that enable the increasingly connected world and digital
economy to overcome constantly changing security challenges. Through the Full Security Life Cycle, we ensure that
scarce resources are used effectively by providing the right mix of integrated consulting, managed, cloud, and hybrid
services – delivered by local resources and leveraging our global capabilities. NTT Security is part of the NTT Group
(Nippon Telegraph and Telephone Corporation), one of the largest information and communications technology (ICT)
companies in the world. For more information, visit www.nttsecurity.com.
2050EB 9/16