Security Incidents: Who is coordinating a response?

ServiceNow Security Operations leverages the platform’s native ITIL capabilities and NIST 800-61 guidelines to provide organizations with the ability to respond to security incidents more efficiently and effectively.

The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, is responsible for developing information security standards and guidelines. In August 2012, it released a special publication, SP 800-61 Revision 2 “Computer Security Incident Handling Guide” that is widely accepted as an authority document on incident handling, incident analysis, and incident response.

NIST 800-61 Revision 2, in its abstract, states “Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources.”

With the number of cyber threats on the rise, not only in terms of the number of attacks but in terms of the impact and resulting disruption as well. Even enterprises known for their information security standards have come under scrutiny.

In recent years, data breaches have been reported at an alarmin array of companies: Tesco Bank, Yahoo, Target, Anthem, Ashley Madison, eBay, JP Morgan Chase, Home Depot, Sony Pictures Entertainment, Global Payments Inc., Tricare, Citibank, Heartland Payment Systems, and more.

What has happened to these organizations can happen to anyone. Truly determined cyber attackers can find a way through any number of intrusion detection and prevention applications that might be in place.

According to Ponemon Institute’s “2016 Cost of Data Breach Study: Global Analysis”, there is a 26% likelihood of a company having one or more data breach occurrences in the next 24 months; with the potential material data breach involving 10,000 lost or stolen records. The same study found that the cost of a data breach is significantly higher if the breach takes longer than 30 days to contain.

Most organizations heavily invest in defense, which is appropriate. For obvious reasons, proactively preventing problems through effectively securing applications, firewalls, networks, systems, etc. is likely to be more cost effective than reacting to problems after they occur.

However, most security incidents do not follow a blueprint. These incidents can vary widely in nature and impact. The incidents can be generated by malicious third parties, but can just as likely occur due to system failures or human errors; rendering it impossible to have a 100% assurance that your prevention methods are successful.

What Is A Security Incident?

While organizations can develop their own definitions of security events and incidents, there are some generally accepted definitions.

A security event is an occurrence or an observation that represents an anomaly. This can be anything that represents an abnormal activity including system glitches, or a firewall blocking a connection attempt. Events with negative impact, like a malware attack, are considered adverse events. Security incidents are either an imminent threat or a current violation of information security policies, standards or acceptable use.

NIST lists a set of attack vectors, including the following:

  1. External or removable media
  2. Attrition (According to NIST, attrition is “An attack that employs brute
    force methods to compromise, degrade, or destroy systems, networks,
    or services.”)
  3. Web
  4. Email
  5. Improper usage
  6. Loss or theft of equipment
  7. Others

The Challenge With Responding To Incidents

Your organization most likely employs several detection systems like Security Information & Event Management (SIEM) systems, firewalls, security endpoints, identity and access management tools, threat intelligence and vulnerability detection tools, along with other network security systems.

Using all these typically results in a lot of noise, generating thousands of events per day and terabytes of data per month. Sifting through these events and separating the wheat from the chaff requires significant effort and manpower; generally, Security & IT teams cannot scale to manage.

Acting on this noise requires organizations to be able to not only consolidate all this information, but also have the capacity to understand the business impact and prioritize the incidents by their risk profile and the organization’s security posture.

Mapping the security incident to the business services and configuration items is most likely to impact establishing and executing a workflow to arrest and remediate the breach. And enabling cross department coordination ends up being the most time consuming aspect of the response coordination.

Security responders are typically overwhelmed by the size and disruption; or, even more worrisome, may not have a true understanding of the business impact or prioritization for the incidents. This generally happens because responses are coordinated and managed manually, through the use of excel spreadsheets, emails, or chat sessions. There is no prior knowledge base with historical information that captures what activities or tasks were performed the last time a similar incident occurred.

Enterprise Strategy Group (ESG) Custom research conducted a survey, “Incident Response Survey,” in 2016, in which 93% of the responders said that their ability to respond to a security incident was either significantly or somewhat limited by the burden of manual processes.

To read more, download our Whitepaper!