The comparison of incident response teams to fire departments has been around for many years, with well-funded entities within enterprises likened to professional fire departments in a large city and the less-funded teams within small-medium businesses (SMBs) likened to volunteer fire departments found in smaller communities. The difference between the well-funded and volunteer teams can be striking. The commonality, however, remains. When the alarm goes off, the team has to answer the alarm and assess the situation upon arrival.
The first question to answer is, "Is the house really on fire?" That is quickly followed by reporting what's occurring up the chain of command to those with a need to know. In the case of the fire, it may be the mayor or councilman, in a company, large or small, it may be the CEO or the Board of Directors.
Gal Shpantzer, Independent Security Consultant and Contributing Analyst at Securosis commented on the use of the fire department analogy. He believes that engineers and others in technical fields may rely too heavily on technical means to defeat a threat that may not be completely technical in nature. Fires can be engineered away to a certain point, because we know what tools to use to put a stop to them.
Purely technical problems, like fires, do not have an intelligent mind working behind them that can decide to come back for a second surprise attack. They can't hack our emails or develop complex infiltration strategies. Though it may take a major effort, technical problems will stop when they are solved. Someone who wants your money or your intellectual property, however, doesn't give up so easily.
Shpantzer's observation is telling and corroborated by the recent Ponemon Institute Study, "Threat Intelligence & Incident Response: A Study of US & EMEA Organizations" (February 2014). On average, 35 percent of cyber attacks go undetected, and the breakdown of how security teams detect their events reveals a reliance on basic capabilities: antivirus, 29 percent; network IDS, 18 percent; user awareness,18 percent; next-gen malware detection, 17 percent; DLP solutions, eight percent; indicators of compromise, seven percent; and external notification, five percent.
And unlike the fire department, who can call in additional resources by adding an alarm to the initial fire call, the incident response team is resource constricted. The report goes on to note that current security products do not lend themselves easily to the import and use of an organization's threat intelligence. In fact, 59 percent of the respondents said that their security products are inefficient and ineffective at incorporating their threat intelligence.
When 86 percent of the CISOs interviewed said that detection of cyber attacks takes too long and 85 percent said there is little or no prioritization of incidents, there is opportunity and space for improvement within the incident response and threat intelligence arena.
The cyber incident response teams (CSIRT) are the firemen of the enterprise network. In the RSA Conference 2014 panel discussion, "Why Cyber Incident Response Teams Get No Respect", moderated by Larry Ponemon, the panel discussed a separate Ponemon study, "Cyber Security Incident Response: Are We as Prepared as We Think?" (January 2014). Pessimism seems the norm, with 57 percent of respondents expecting to experience a security breach in the next year, conceding that it isn't a matter of if, but a matter of when.
With good information, the teams can effectively determine if a breach has occurred and at what magnitude. While few people would want incident response to be automatic, just about everyone would like every event-required step to be automated as much as possible. Human judgment and the decision-making team can then focus on the real fires, and leadership can be given timely and accurate situation reports.