3 Incident Response Essentials

How Organizations Can Improve Their Security Posture

By , May 4, 2012.
3 Incident Response Essentials

Organizations often do not detect intrusions until after they've been compromised, says Rob Lee of SANS Institute. So how should they improve their incident-response posture? Lee offers three tips.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

As the curriculum lead and author for digital forensics and incident response training at the SANS Institute, Lee says not enough organizations are prepared to respond to today's security incidents.

"Most organizations have a really good mindset in terms of information security prevention, but there are very capabilities installed trying to actually detect the intruders," Lee says in an interview with Information Security Media Group's Tom Field [transcript below].

Lee prescribes three recommendations for organizations looking to improve their incident response programs:

  1. Have a dedicated team: "Most teams in organizations are virtual," Lee says, meaning that people are pulled from their normal jobs to do incident response. "But the challenge occurring now is that incident response is never going away at this point." Incident response becomes a full-time job, and thus organizations should have a team prepared for the constant threat cycle.
  2. Prepare for scalability: Organizations need an incident responder to be able to react to not just one machine, but potentially thousands of machines simultaneously, Lee says, referring to what he calls the "scalability equation." This gap ends up being huge for organizations because they typically think of "one responder to one machine."
  3. Bolster additional defense mechanisms: Organizations neglect to implement mechanisms to do a better job detecting intruders. "For most organizations, it's not do you have the right policy or do you have the right people in place, it's are you effectively comfortable knowing that you can detect an intrusion when it occurs," he says.

In an interview about incident response, Lee discusses:

  • Why many organizations aren't even aware of security incidents;
  • Incident response essentials that many organizations lack;
  • New training and certifications available from SANS Institute.

Lee is an entrepreneur and consultant in the Washington, D.C. area, specializing in information security, incident response, and digital forensics. He is currently the curriculum lead and author for digital forensic and incident response training at the SANS Institute in addition to owning his own firm. Lee has more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response.

TOM FIELD: Just to set the topic for us here, give us a little bit of your background in incident response, please.

ROB LEE: I've been working on digital forensics and incident response pretty much the entire 15 years of my career so far. Real quick background - I was former Air Force, worked in the AFOSI [Air Force Office of Special Investigations] and also the 609th Information Warfare Squadron. In both of those instances, they were both investigating computer crime intrusions that occurred and also did a lot of incident response. After I was with the Air Force, I went to the intelligence community and worked for an information security group supporting multiple different agencies in the D.C. area. Until most recently, I was at a company called Mandiant and we did a lot of incident response across the Fortune 500 commercial groups that are out there ... looking for advanced adversaries such as advanced persistent threats.

Incident Response Trends

FIELD: Over the past year there have been so many incidents. Which of the security breaches comes to mind when you start thinking about incident response and some of the trends that we've seen?

LEE: I thought this would be one of the questions and it's hard to nail down to just one, and here's why. The major issue that's currently going on in the industry right now is that most organizations, most corporations, are finding themselves in some sort of data breach situation. The estimated percentage of corporations of the Fortune 500 that are currently compromised are up around 40 percent. I'm not hearing a lot of these in the public eye because a lot of it's not being discussed because either payment card information or PII-type data, private identifiable information, is not being stolen. It's more economic and intellectual property theft by advanced adversaries.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Obama Cyber Coordinator on Global InfoSec

White House Cybersecurity Coordinator Michael Daniel says the toughest international cybersecurity...

Latest Tweets and Mentions

ARTICLE Obama Cyber Coordinator on Global InfoSec

White House Cybersecurity Coordinator Michael Daniel says the toughest international cybersecurity...

The ISMG Network