True Detectives: VARs On The Case As The Need For Incident Response Strategies Gets More Evident Every Day


Retail giant Target had many of the latest technologies in place to protect its critical systems and had a service provider remotely monitoring its network security appliances, which generated an alert on the malware responsible for its massive data breach.

Incident response is where it all broke down when attackers struck the company in November. The alert should have triggered an investigation by one of the hundreds of IT personnel staffing its Minneapolis-based security operations center.

Like many other large and midsize businesses, Target likely was hampered by outdated incident response processes or a plan that wasn't regularly tested and adjusted to changes to the environment, said Chris Camejo, director of consulting and professional services at NTT Com Security. Poorly configured systems that generate too many false alarms compound the problem by adding to the risk that a real threat won't be investigated and contained until it is too late, Camejo said. "Target did almost everything right, but they appeared to have messed up on the people side of the equation," Camejo said. "In this case there was an in-house incident response capability, but they didn't respond to the alerts."

[Related: How To Build An Incident Response Plan]

The pendulum in the security industry has shifted from threat prevention to threat detection, but incident response is often isolated and rarely part of the products on the market, solution providers tell CRN.

Terry Kurzynski, a senior partner at Chicago-based solution provider Halock Security Labs, said he is increasingly returning to previous clients months after deploying their network security appliances to either address a security incident or assist with poorly maintained systems. Organizations were eager to purchase technology designed to detect so-called advanced threats, but they constantly stumble over alerts or servicing the systems they have, said Kurzynski, whose company focuses on digital forensics and security incident response. "Clients are implementing but they're not able to interpret the alerts correctly or six months later they've taken their eye off the ball and can't remember the last time they checked the console," Kurzynski said.

TUNING OUT FALSE POSITIVES

Much of the attention on incident response is being driven by the rise of network security appliances that are uncovering previously unseen malware infections on workstations and servers. FireEye gained early success with its appliance line for shining a light on the number of threats easily evading antivirus and bypassing firewalls, said John Kindervag, vice president and principal analyst at Forrester Research.

FireEye’s competition has increased with security vendors rushing out similar features and services. But many of the technologies require a careful adjustment to the noise-to-signal ratio, Kindervag said. Incident responders need to a way to tune out false positives or threats that pose a low risk so they can respond to the most critical problems, he said. "It's been a constant struggle to identify and address serious threats before they result in a breach," Kindervag said. "The process still hasn't been adequately addressed by [security vendors] or the businesses deploying the technology."

Managed service providers are in a position to provide incident response capabilities, but they have to earn the trust of their clients by getting to know their most critical systems and the intellectual property that matters most, said NTT Com Security's Camejo. The channel is used to monitoring systems and generating reports, rather than providing blocking and tackling services, Camejo said. "In order to stop an attack in a meaningful way you have to understand the client and the crown jewels that they are trying to protect," Camejo said. "There are many providers that are entrenched in doing things the way they always have, only monitoring firewalls and IPSes for new signatures that come out."

NEXT: Automating Incident Response