When we look at areas of importance for modern IDR(Incident Detection and Response) programs, we must look at six key points:
- Preparation
- Detection
- Validation
- Response
- Containment
- Recovery
It is particularly shocking when one considers that today’s IDR programs:
- Implement defense in depth principles in their network infrastructure
- Catalog, organize, and restrict their data following least privilege principles
- Actively manage their exposure through attack surface management
- Rehearse technical, coordination, and communication aspects of breach detection and response
There are two questions we must ask ourselves:
1) When it comes to breach preparation, are we performing well on all aspects of this list?
2) As attacks shift do we have the people, process, and technology in place to shift just as quickly to detect and validate incidents?
- Technology to detect threats across the entire ecosystem from the endpoint (including mobile devices) to cloud-based services and applications outside of the network,
- Technology to validate machine-driven threat detection on the endpoint and the network,
- Threat detection methodologies that include tailored and timely threat intelligence, behavior analytics, and data analytics,
- Subject matter expertise that covers attacker methodology, malware analysis, endpoint analysis, network analysis, data visualization, and automation,
- Defined and rehearsed processes for threat detection, validation, and escalation,
- Metrics to measure and improve performance.
- Technology that enables detailed analysis of endpoint, network, and logs,
- Subject matter expertise that covers forensics analysis, incident management, incident coordination, and incident communications (in addition to the expertise from the incident detection and validation section),
- A breach response plan that covers all aspects of response activities ranging from technical analysis to restoring normal business operating processes.
evolved IDR to help with the containment and recovery via:
- Technology to contain threats at the endpoint, on the network, and in the identity management system,
- System imaging and data backup/restore processes for servers and workstations,
- A tested and rehearsed disaster recovery program.
- Do you understand how attacker capabilities and motivations impact maturity?
Knowing what data attackers find valuable and what tools and tactics they utilize give you two extremely important data points to determine the type of adversary you’re facing. By mapping your potential adversary based upon the data you have, and what they target, you can determine the required maturity of your IDR program.
| Attacker Motivations | Attacker Capabilities |
Attacker Maturity
Plain English |
| Mass defacement, Disruption*, Computing power**, SPAM, Malvertizing | Opportunistic, mass impact, automated distribution | Low
Your adversary is a computer program. |
| Online account theft, Messaging, Political, Destructive, Hijacking, Retribution*** | Opportunistic, malware, targeted defacement, online account hijacking, ransomware | Medium
Your adversary is opportunistic and smart, but typically not a professional attacker. |
| Financial theft, Intellectual property theft, PII/PHI theft, Corporate espionage, Nation state | Targeted, unknown malware, command and control, 0-day vulnerabilities, robust infrastructure | High
Your adversary is motivated to breach you and will persist in their attempts. They are a professional hacker. |
* Disruptive motivations could also apply to the “Medium” maturity attacker.
** Computing power includes bot nets, BitCoin mining, and other activities that require distributed computing power.
*** Retribution motivations could also apply to the “High” maturity attacker.
Generally speaking, the attackers at the highest end of the maturity scale are the ones who are going to steal your data, cause the most damage to your business, and cost the most to recover from. If you are charged with protecting your business from theft of sensitive data, you need to be ready to defend against a skilled adversary.
- Do you know the business goals for your IDR program?
Many in the IDR industry forget that the reason we are here is to protect the business. We get far too wrapped up in the latest shiny box and lose sight of our objective. Understanding what the business expects of your IDR program will help to define your target maturity.
| Sample Business Goals | IDR Program Maturity Target |
|
Prevent basic threats from impacting our end users
Reduce the volume of security related calls to the help desks
Protect online marketing assets
| Low
Your security program should focus on minimizing the impact of known threats to the business and the end-user. |
|
Ensure regulatory compliance
Protect internet facing assets
Lower the impact of known threats | Medium
Your security program should focus on protecting your business and customers from known threats. |
| Protect data
Protect reputation
| High
Your security program should focus on preventing the theft of data and minimize impacts to the company brand. |
- Do you know what your IDR programs are charged with protecting and where it is?
The sensitivity of the data that you are charged with protecting is another data point used to determine your IDR program target maturity. Knowing where that data resides allows you to make critical decisions about investment in tools, people, and processes to safeguard it.
| Sample Data Type | IDR Program Maturity Target |
| Public / open source data* | Low
You do not have any data of value to attackers. Be aware that you may still be a target for non-monetary attacker motivations. |
|
Financial records
Proprietary but non-business critical data
Non-attributable personal data
| Medium
You have potentially valuable data to attackers or competitors. You should be serious about building a strong security program. |
|
Financial payment data
Attributable personal data
Regulated data
Proprietary, business critical data
| High
You possess data or a brand that is critically valuable to attackers. Your security program needs to be world-class. |
- Do you have visibility across your entire enterprise and beyond?
Once you have established asset and data criticality, you can evaluate and set goals for your technology visibility and reach.
| Data Criticality / Attacker Maturity | Visibility Maturity / Scope |
| Low / Low | Low / Perimeter
You are monitoring for known threats on the edges of your environment. |
| Medium / Medium | Medium / Perimeter, endpoint, and network for known threats
You are monitoring for and able to respond to known threats throughout your environment. |
| High / High | High / Perimeter, endpoint, and network for known and unknown threats
You are monitoring for and able to respond to known threats throughout your environment. |
- Do you perform effective attack surface management?
Attack surface management consists of the activities that you perform to make it as difficult and costly as possible for an attacker to disrupt your business. Since you know your potential adversary based on the type of data you’re charged with protecting, you can set a target for attack surface management maturity.
| Attacker Maturity | Attack Surface Management Maturity / Sample Activities* |
| Low | Low / Known threat prevention technology, identity management
Your attack surface management should focus on preventing known threats and effective management of credentials and assets. |
| Medium | Medium / Disaster recovery, threat exposure management
Your attack surface management should focus on effectively recovering from a breach and minimizing the opportunities that attackers have to gain a foothold in your environment. |
| High | High / Unknown threat prevention technology, defense in depth, least privileged identity management, IT/CIA best practices
Your attack surface management must excel on all aspects of IT security including: remote access management, defense in depth, known and unknown threat prevention technology, least privileged identity management, and hardening best practices. |
- Do you employ multiple threat detection methodologies?
When determining the target maturity for threat detection simply look at the maturity of your potential adversary. The methodologies used for identifying known and unknown attackers is very different and requires different tactics, technology and processes.
| Attacker Maturity | Sample Threat Detection Maturity / Capabilities* |
| Low | Low / Apply simple threat intelligence on the network and endpoint
You are able to detect known threats on your network and on your endpoints using threat intelligence. |
| Medium | Medium / Apply complex threat intelligence on the network and endpoint, detect data leaving your environment, validate alerts
You are able to detect known threats on your network and endpoints using 3rd party threat intelligence and are able to detect sensitive data leaving your network. |
| High | High / Use behavior analysis and data analytics on the network, endpoint, and security events, validate alerts and investigative leads
You are monitoring for known and unknown threats across all your data sources using all detection methodologies with the ability to validate investigative leads. |
* Capabilities in this table are cumulative. If your maturity target is “medium” you must also implement “low” maturity activities.
- Do you have expertise across the entire IDR lifecycle?
People and expertise are the most important component of successful IDR programs, and we’ve saved it for last. The level of expertise required is dependent on the target maturity for all of your other IDR programs. You do not want to have a mature threat detection program without the staff to benefit from it. Similarly, depending on your IDR maturity targets, you want a balanced investment in each component of the IDR lifecycle. The components of the IDR lifecycle include:
- Breach preparation - How resilient are you to threats and how prepared are you to detect and investigate a breach?
- Threat detection and validation - How capable are you of detecting threats, validating alerts and investigative leads?
- Breach response - How capable are you of handling all aspects of a complete incident response process?
- Threat containment and breach recovery - How rapidly can you remediate attacker activities and restore normal business operations?
[caption id="" align="alignnone" width="879"]
Diagrammatic flow of incident detection and response[/caption]
