Tuesday, March 25, 2014

Jumping Off Points

The incident handling/incident response life cycle consists of the detection, analysis, containment, remediation, recovery, and lessons learned stages. These stages have been discussed at length elsewhere, including in previous posts on this blog. I've also discussed the subject of workflow as it supports this life cycle, as well as what goes into producing quality alerting and detection. One question people often ask me is one that complements these topics nicely -- "What is the best way to enter into the incident response process in an efficient and focused manner?". This is an excellent question. I have worked with many good analysts during the course of my career, but very few of them have been able to work efficiently without being led into the incident response process in some manner.

I believe that this answer to this question lies in the creation of "jumping off points". I have been guiding organizations in this direction for a little over a decade, and good results from a diverse array of organizations indicate to me that this is a winning approach.

The jumping off points approach assumes that due to the velocity, volume, and variety of data found on a large network, knowing the ground truth regarding all of the traffic on the network is essentially impossible. Instead, the approach seeks to identify incisive, targeted questions to ask of the data. These questions are designed to surgically extract behavior and activity of concern based on business needs, operational needs, organizational risk, management priorities, threat assessment, and other factors. The answers produced by these questions form the basis of alerting. There is no specific number of questions that an organization should aim to have. Rather, the organization should strive to produce reliable, high fidelity, actionable alerting at a reasonable enough volume that each alert can be reviewed by an analyst. Further, the work here is never "done". All of the factors mentioned above likely change continually. Existing questions should be revised, and new questions should be created as appropriate given the changing landscape.

The result of the jumping off points approach is a steady stream of reliable, high fidelity, actionable alerts. This stream has the intended consequence of providing analysts an efficient and focused manner in which to enter into the incident handling/incident response life cycle.

Jumping off points have proven to be a good approach for the largest enterprises and government agencies. If you aren't already using this approach, are you ready to jump in?

No comments:

Post a Comment