I have had the privilege of working with a number of different incident response/security operations functions within a number of different enterprises. What I have come to realize is that in addition to all the tangible elements that running a successful security operations/incident response function entails, there are also several key elements that are less tangible, but equally as important. Although harder to measure, these points are nonetheless equally as important:
- Strong leadership presence in the incident response/security operations community: The best incident response/security operations functions are run by people who have walked the walk and who are active members in the relatively small and close-knit community. Quite simply put, incident response/security operations functions run by people who understand the challenges, can think strategically about how to approach them, and have the contacts, respect, and earned authority to implement the required strategic approach are more mature than those run by people who do not fit the above description.
- Realization that information sharing and incident response are one in the same: I often see that organizations have "Timely Incident Response" and "Information Sharing" as two separate strategic objectives. Both are important, but if one thinks about it, they are effectively one in the same. What does this mean? That a) strong information sharing relationships can be one of the most effective ways to detect/understand/be notified that an incident is underway requiring response and conversely that b) when an incident is underway, having solid and strong information sharing relationships can be one of the most effective ways to handle/contain the incident (e.g., having close relationships with hosting providers that can take down sites for an organization).
- Proactive intelligence: Many organizations do decently well with reactive intelligence. For example, if it becomes known that a given URL pattern is an indicator of malicious command and control (C2) activity, most organizations can immediately leverage this in their alerting. Naturally, this is extremely important, but it is, in its essence, reactive. Proactive intelligence is something that most organizations do less well. It involves tracking the attackers and threat landscape to understand the direction in which threats/attacks are moving and how to translate that into actionable intelligence that can be implemented operationally. This is no easy task, but it is something that separates the world class organizations from the rest of the pack.
- User/insider threat: The most serious compromises generally involve theft and/or misuse of user accounts, certificates, and/or other credentials. Because of this, tracking, profiling, modeling, and identifying anomalous/suspicious/malicious user activity is essential to a world class security operations/incident response function. Identifying anomalous user activity is a challenge, but it is one that the best organizations do not shy away from.
- Incident response/security operations is a cerebral business: It is tempting/easy to pay an overwhelming amount of attention to the operational component of incident response/security operations without paying enough attention to the cerebral component. It is true that incident response/security operations necessitates a strong operational component. What the best organizations understand is that the operational component supports the strategic, well-structured, intelligently-approached (cerebral) component/foundation, and not the other way around.
Hopefully these thoughts are helpful to those looking to build, strengthen, and/or enhance their incident response/security operations function. Feedback is, of course, always welcome.