January 2015 is already winding down, but it’s not too late to think about the lessons of 2014. For anyone in information security, 2014 was a year marked by spectacular breaches. It ended with Sony Pictures Entertainment getting its clock cleaned by hackers, quite possibly from North Korea. Wouldn’t it be great if 2015 doesn’t include the same sort of clock cleaning at your company?
Having run thousands of incident response operations over the years, I have come to appreciate the value of visibility. I’m talking about meaningful data collection, from the network layer up to the applications. I’m talking about data that can help the computer security incident response team (CSIRT) understand with a high degree of confidence what happened. You can take steps to make sure that your CSIRT will have that kind of data, well organized, so they’re not lost in a sea of meaningless data or grasping for clues with no data at all. If you do nothing to improve visibility, your CSIRT might be able to draw some basic conclusions about an incident, but chances are they won’t be able to tell executive decision-makers what they really want to know: precisely what happened in an incident and the extent of the business impact.
So my suggestion for 2015 is to increase your ability to see an incident. Make it a goal to be able to accurately and rapidly establish your situational awareness during and after an incident. Good situational awareness is vital to your executive team as it sets out to make the difficult business decisions in the wake of an incident.
First, take stock of what you already have in place for visibility. Take a critical look at your event logging, data analysis, data retention, etc. Start at the network level, and ensure that you can see into all of your mission-critical networks. Then move on to other networks, such as those for connecting desktops and mobile devices. Do an inventory and establish a clear picture in your mind of how well the data you’re already collecting will help you reconstruct the events around an incident. You need to know what your current abilities will do for you situational awareness.
Next, you should move up to your servers: application servers, departmental servers, etc. Do another inventory and determine what logging is in place and how it relates to and correlates with the network-level data. Figure out how well that data will help you determine the business impact of an incident. Even though server logs can probably shed only a small amount of light, you still need to know just what information they contain and how best you can leverage that information during an incident.
Finally, you need to assess your business applications. Whether they are internal business applications or customer-facing ones, you need to know what logging is taking place and how it can be used to tell the story of an incident.
When you’ve taken stock, it’s likely that you’ll see that your logging layers provide different perspectives on incidents. More importantly, there’s a good chance that the logs aren’t even stored in the same place and that they are viewed by different teams in your network operations and security operations centers.
And now that you know what you have and where it goes and who sees it, you have to figure out how you can use those multiple perspectives to build a single view of an incident. There are products that promise to help you with that, but the principle of “garbage in, garbage out”always applies. The tools are only as good as the data they receive.
The important thing is to make sure that, should you be hit by an incident, you will have the situational awareness that your executives need. For them, whether something happened at the network level or the application level is immaterial. They just want to know the business impact. They want a damage assessment and a course of action.
So in 2015, that’s what you should be prepared to give them. To get there, take a critical look at your visibility and make an action list on how you can improve things. Imagine various event scenarios and determine just what sort of data you’d likely find and how useful that data will be in telling the executive team what they need to know.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.