Friday, October 25, 2013

Big Data Requires a Surgical Approach

I've previously posted about the overwhelming volume of data confronting enterprises today, as have countless others.  Although I have hinted at it through many of my blog posts and provided several tangible, hands-on examples in this blog, it occurs to me that I have never overtly stated that "big data requires a surgical approach".  What does this mean?  Essentially, with billions of transactions/records/sessions per day, the volume of data has grown beyond the capability of organizations to handle it.  The enterprise's network data must be sliced up surgically using a variety of different techniques.  Each technique takes a slightly different view/vantage point of the data and produces a reduced, filtered, and more manageable volume of data for investigation.  If this sounds familiar, it is because it is essentially the same approach as I've blogged about previously in posts discussing what I call the "Jumping Off Points" approach.  The approach is simple, straightforward, and effective.  The challenge is finding the most relevant and value-added jumping off points, and continuously working to improve them and to find the next group of relevant and value-added jumping off points.

Less Tangible Elements of World Class Security Operations/Incident Response Functions

I have had the privilege of working with a number of different incident response/security operations functions within a number of different enterprises.  What I have come to realize is that in addition to all the tangible elements that running a successful security operations/incident response function entails, there are also several key elements that are less tangible, but equally as important.  Although harder to measure, these points are nonetheless equally as important:

  • Strong leadership presence in the incident response/security operations community: The best incident response/security operations functions are run by people who have walked the walk and who are active members in the relatively small and close-knit community.  Quite simply put, incident response/security operations functions run by people who understand the challenges, can think strategically about how to approach them, and have the contacts, respect, and earned authority to implement the required strategic approach are more mature than those run by people who do not fit the above description.
  • Realization that information sharing and incident response are one in the same: I often see that organizations have "Timely Incident Response" and "Information Sharing" as two separate strategic objectives.  Both are important, but if one thinks about it, they are effectively one in the same.  What does this mean?  That a) strong information sharing relationships can be one of the most effective ways to detect/understand/be notified that an incident is underway requiring response and conversely that b) when an incident is underway, having solid and strong information sharing relationships can be one of the most effective ways to handle/contain the incident (e.g., having close relationships with hosting providers that can take down sites for an organization).
  • Proactive intelligence: Many organizations do decently well with reactive intelligence.  For example, if it becomes known that a given URL pattern is an indicator of malicious command and control (C2) activity, most organizations can immediately leverage this in their alerting.  Naturally, this is extremely important, but it is, in its essence, reactive.  Proactive intelligence is something that most organizations do less well.  It involves tracking the attackers and threat landscape to understand the direction in which threats/attacks are moving and how to translate that into actionable intelligence that can be implemented operationally.  This is no easy task, but it is something that separates the world class organizations from the rest of the pack.
  • User/insider threat: The most serious compromises generally involve theft and/or misuse of user accounts, certificates, and/or other credentials.  Because of this, tracking, profiling, modeling, and identifying anomalous/suspicious/malicious user activity is essential to a world class security operations/incident response function.  Identifying anomalous user activity is a challenge, but it is one that the best organizations do not shy away from.
  • Incident response/security operations is a cerebral business: It is tempting/easy to pay an overwhelming amount of attention to the operational component of incident response/security operations without paying enough attention to the cerebral component.  It is true that incident response/security operations necessitates a strong operational component.  What the best organizations understand is that the operational component supports the strategic, well-structured, intelligently-approached (cerebral) component/foundation, and not the other way around.
Hopefully these thoughts are helpful to those looking to build, strengthen, and/or enhance their incident response/security operations function.  Feedback is, of course, always welcome.

Friday, October 4, 2013


To most analysts, the word process is a scary one that conjures up images of rote, check-box type work.  Although that does sometimes occur, in the Incident Response/Security Operations world, process is extremely important.  Why is this so?  Because in a field where data is so overwhelming, expectations are so high, and resources are so very limited, having an organized, well-structured, well-defined approach to the day-to-day workflow is extremely important.  Organizations that have a well-defined incident response process (at all different levels -- from the highest, strategical level down to the lowest, operational level) generally do much better in incident response than organizations that do not.

A good incident response process can help focus resources (software, hardware, and wetware) and maximize the value they provide.  Process isn't the sexiest of endeavors, but if done properly, it is one of the most productive and value-added.