BlackHat 2014: Incident Response Best Practice & Automation Key to Success - Bruce Schneier

Written by

Network breaches are inevitable. It’s what happens next that really matters, said renowned cryptographic expert Bruce Schneier during the Black Hat security conference.

If there is something the organization has the attack wants, the attacker will figure out a way to get in. Regardless of how much the organization invests in its defenses, attackers need to find that one weak spot to succeed. This is why incident response--being able to detect an incident had occurred, and then being able to respond effectively to remediate the incident--is so critical.

Incident response should consist of four key elements, observe, context, decide, and act, Schneier, the CTO of Co3 Systems, said during his talk on Thursday. Automated systems and technology was necessary to support incident response, he said.

“The goal here is to bring people, process and technology together in a way that hasn't been done before,” Schneier said.

“The goal here is to bring people, process and technology together in a way that hasn't been done before”Bruce Schneier

Observe is the first step, and requires the organization to know what is happening on networks in real time, Schneier said. Log monitoring, log analysis tools, and network management tools can help gather the information necessary.

Context requires the information gathering and threat intelligence. The organization has to know what the latest malware and vulnerabilities being exploited are. Information sources and internal research efforts provide the necessary data to explain the relevancy of the network information.

Decide has two parts, prioritizing the issues and assigning responsibility. Incident response frequently breaks down when no one knows who has the authority or power to take action. By properly assigning roles and responsibilities, as well as defining an escalation path, time is not wasted trying to figure out who needs to weigh in on the decision. Prioritization is also necessary to figure out whether remediation can wait or if it needs to happen right away. Act is the final step, and just involves executing the plan based on the decisions made in the prior step.

Schneier said incident response could no longer be left up to the industry to deal with on their own. Instead of self-policing, industry will soon be subject to government requirements for data safety, he said.

Schneier also touched upon broader security themes in his talk, such as the fact that attackers are increasingly becoming more sophisticated. Hobbyists, cyber-criminals, and nation-state attackers are increasingly using the same tools and techniques, making it difficult to differentiate between them, he said. Governments are building cyber-weapons and stockpiling zero-day vulnerabilities, making the overall ecosystem less safe for everyone. There are also supply chains supporting cyber-crime effort, he said.

What’s hot on Infosecurity Magazine?