Next Generation Incident Response

In today’s global economy, IT professionals and key security decision makers are focusing directly on combating the ever-changing threat landscape and actors that are keen on disrupting their businesses and organizations. Securing virtualized and cloud ecosystems have become a top priority for many Chief Information Security Officers as well as Chief Information Officers. Recently, we saw major news media (Washington Post, CNNi, Time) exercising their incident response mechanisms due to breaches by attackers. For our first installment in this series on the future of incident response, we want to highlight the evolution and how the approach to incident management fundamentally changes in this new paradigm of cloud computing and third party hosting infrastructures. In this thought leadership series on Next Generation Incident Response, we will examine the questions and approaches organizations are taking to manage this facet of their operation.

In 2006, my hypervisor experience began in earnest when we put our first production instances of virtualized servers online. It was at this time that I realized that dealing with security events, logging and incident management would never be the same. This also included forensic investigations. Hypervisors on premise and in the cloud have forever changed the game when it comes to delivering high performance and highly available infrastructure. In many cases, this pivot in technology has allowed us to streamline our operations and our costs. It has provided line of business (LOB) and IT leadership the opportunity to come oh so close to the holy grail of Business and IT alignment. This is the first in a series of discussions and thoughts about what the Next Generation of Incident Response will look like in our organizations. Planning and modifying your processes and technical capabilities to accommodate this shift will be important as you look to deliver the next set of disruptive technologies in the cloud or on premise. Education and awareness of how to manage incidents when they occur in these new platforms and what the expectations are for forensics will be important to understand.

Make no mistake, this discussion won’t focus on the negatives and security challenges of virtualization and cloud infrastructure, nor create Fear, Uncertainty and Doubt (FUD). In many cases, when deploying services on top of these technology stacks we will actually see improved security and incident response capabilities. This comes in the form of advanced technologies and improved skill sets. The challenge lies in the details of delineating what those capabilities are and how to effectively establish a set of baseline policies and processes. Lastly, let’s explore how one might apply a strategy to best fit your organization to be effective in deployment, adoption and maintenance. Due to the nature of hypervisor and business continuity technologies, we can often bolster our incident response plans for when we encounter security events that turn into formal incidents. These types of technologies can be deployed with the notion that adverse events and incidents will happen and you can better control and mitigate the collateral damage of those incidents within your organization depending on how you set up your virtual and cloud ecosystems. If done correctly, incidents can be managed more effectively with proper intelligence and an expedited mean time to resolution (MTTR). No one likes the feeling of not having enough intelligence about an incident to draw a conclusion about the health of the environment.

As many know, there are a host of actions that trigger the categorization of an event to an adverse event and then finally into a full-blown security incident. Once this happens in your organization, you will look to your playbook and that playbook is called a formal incident response plan. The National Institute of Standards and Technology (NIST) has a great special publication SP800-61r2 detailing how to set up and/or modify your incident response with a proven framework. The incident response plan is a key element for any information security management program and we highly recommend adopting this approach for your business.

Per any incident response plan, it will detail communications as well as the players and roles involved with managing the incident. The framework will need to be flexible in order to adapt to your specific industry or vertical. Your business may have serious regulations and breach notification policies that you have to adhere to. This must also be accommodated for in your formal incident response plan. The overall goal is to quickly Detect the problem, Analyze all of the variables with the event, Adapt and Respond with the appropriate processes and countermeasures to contain the event and mitigate future risk of a similar attack vector no matter where your infrastructure resides.

As part of future conversations in this thought series, we will explore the Cloud Security Alliance’s guidance on implications of the forensic and incident response process within the cloud and 3^rd party ecosystems. We must expect nuisances from our internal processes and capabilities concerning incident response and forensics and be knowledgeable of what cloud service providers are responsible for in addition to our own liabilities. These will be important to understand and factor in when discussing terms and conditions with your provider as well as setting expectations for your customers and staff.