Top 5 reasons incident response is failing. kpmg.com

Transcription

1 Top 5 reasons incident response is failing kpmg.com

2 b Top 5 reasons incident response is failing

3 Introduction The Incident Response function within an organization is responsible for assessing the integrity of people, processes, and technologies that enable the business. When this integrity is compromised, the incident response team evaluates the impact and provides decision makers with the necessary information to make informed decisions. Furthermore, the Incident Response function is charged with containing and remediating breaches of this integrity as well as identifying control failures and recommending improvements. A failure to detect if or when the integrity is compromised or to respond appropriately is a failure of the Incident Response function, which may result in a financial burden to the organization. As management looks to mature this function, it is important to understand the primary challenges facing response teams today. The following five reasons represent the top failures of the Incident Response function, and are characterized by delayed decisions, incomplete data, and a lack of understanding. Top 5 reasons incident response is failing 1

4 5Politics The Incident Response team lacks authority and visibility in the organization. As Incident Response teams fight to defend against attackers and their evolving tactics, another battle is quietly taking place within the organization one with political implications. During the response process, a team is likely to encounter one of two primary delays: the time between an incident occurring and the team being notified, and the time to resolve political disputes throughout the investigation. Although both work against the team s efforts, the latter introduces the greatest potential for failing to resolve an incident in a timely manner. In a perfect world, the Incident Response team would operate with the ultimate authority to collect information and subsequently inform the business of changes that need to occur to further secure the organization. But in reality this cooperation rarely exists, and teams are left with escalating issues to management in order to receive the necessary traction. Firewall changes to block malicious outbound traffic fall at the mercy of the Emergency Change Control Process, as responders sit in frustration watching hosts on the internal network connect out to known botnets. While the political battle is bound to persist, it is imperative that senior management support the Incident Response team, its mission, and its activities during an investigation. Incident response should be communicated and marketed as a service that maintains the integrity of the organization, not as the group that creates more work. Internal service level agreements (SLAs) should be established with other teams through policies and processes, and annual tabletop exercises should ensure the reliability of these agreements prior to an incident occurring. Additionally, other teams should nominate a primary contact to facilitate participation in the incident response process. 2 Top 5 reasons incident response is failing

5 4 Data Data pertinent to an incident is not readily available. The incident response process follows a sequence of steps that aims to discover and document the relevant details of an attack. When this information is not readily available to responders, or it doesn t exist, certain steps in the process are hindered and fail to produce the supporting evidence that is required for subsequent steps. In this scenario the incident response team struggles to assess the impact, contain the damage, and communicate to management what information may or may not have fallen into the wrong hands. This cascading effect is the result of the organization failing to answer three important questions: what data sources do we have, what data are they capable of producing, and how should we manage this data? Answering these questions is not a simple task and requires patience and collaboration from multiple teams throughout the organization. Consider using the asset management system as a starting point to understand the full range of systems that could potentially produce information. Technology owners should be engaged early in the process to ensure they don t feel blind-sided by your requests for data down the road. With a grasp on what data sources exist, the team should identify interesting events (e.g., failed authentication, logs purged, interactive log-on, etc.) that would provide contextual information about an incident. The final consideration is not only deciding how and where to aggregate these bits of data, but what should be done once they are received. To address these considerations, organizations should leverage Security Information and Event Management (SIEM) to provide realtime alerts on critical events, scheduled reports to identify anomalous behavior, and a centralized collection of logs that can be used for forensic purposes. Top 5 reasons incident response is failing 3

6 3 Tools Incident Response tools are inadequate, unmanaged, untested, underutilized, or absent. Incident response activities rely heavily on tools to enable the discovery of information about systems and people involved in an incident. These tools are such a valuable asset that when they fail to provide a consistent, reliable output the response process grinds to a halt. This failure can be the result of tools that go unmanaged or untested by the team, introducing unexpected delays during the life of an investigation. An inventory of tools should be centrally maintained to help ensure license renewal dates and necessary functional components are accounted for on a periodic basis. Team members should be acquainted with the entire tool-set and receive training by outside vendors or internal personnel to ensure a common knowledge exists across the team. Even with the proper training, incident response teams often find particular tools to be inadequate for the task at hand, triggering a request for an additional component or entirely new solution. While organizations should assume that buying the latest and greatest is necessary to remain properly equipped, a quarterly purchase order from the incident response team may be indicative of poor planning or failing to understand the scope of systems that could be part of an incident. 2 Process Processes and procedures related to incident response are not tailored to the organization. The incident response program needs a solid foundation of policies, processes, and procedures that are tailored to the organization. To avoid reinventing the wheel, organizations often find boilerplate incident response plans that enumerate, in extensive detail, every step that should be taken to investigate a potential incident. While this level of detail may feel thorough and reassuring, an organization should only use it as a starting point to avoid overcomplicating response procedures. Documentation related to the program must be concise, and align with the organization s culture, environment, response personnel, and most importantly, business objectives. Failing to tailor policies, processes, and procedures to meet the needs of the organization will result in ineffective response efforts that slow or work against an investigation. It should also be noted that documentation should constantly evolve to remain current with evolving threats, changes in technology, and shifts in business objectives. Has the organization developed a strategy and corresponding procedure for investigating malware on mobile devices? 4 Top 5 reasons incident response is failing

7 1Team The Incident Response team lacks a proper balance between skill-set, size, and management oversight. Choosing the right personnel to staff the incident response team can be a challenging task. Smaller organizations are faced with a limited security budget, which often results in a lack of response-focused personnel. With no other option, incident response duties are assigned to system and network administrators, who have the technical knowledge and historical understanding of how systems in the organization operate. Although these professionals are highly skilled in their respective fields, should they be entrusted to make businessimpacting decisions amid a crisis or breach? Also, do not rule out the potential for fraud and/or a conflict of interest. Smaller organizations should evaluate whether in-house expertise is right for the job, and periodically ask if additional training or internal recruiting needs to take place. On the other hand, large organizations find themselves struggling to allocate the most efficient number of resources to an incident response team, often making the assumption that the more personnel tasked with response duties the more capable they become. To avoid overlapping efforts and a lack of clearly defined roles and responsibilities, an incident response team should be spearheaded by strong leadership who promotes collaboration among the team and communicates effectively with both management and other parts of the organization. Conclusion Incident Response teams are tasked with assessing the integrity of an organization and responding appropriately when that integrity is compromised. While the pattern for success is an unpredictable and evolving process, organizations can distance themselves from failure by laying a solid foundation of policies and procedures on which skilled professionals can base the performance of their duties. By leveraging the most efficient tools to compile relevant data in an expedited manner, the Incident Response team will contribute to the success of the organization through the ability to make informed decisions. Top 5 reasons incident response is failing 5

8 The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS