Incident management isn’t enough — here’s what IT really needs
In all of the latest IT security threat reports, one theme is clear: Breaches and compromises are on the rise, both in quantity and sophistication, and there’s no sign of them slowing down. Organizations of all sizes are at risk. Businesses need to be ahead of the game, maintain a strong security posture, and be prepared for anything.
But is it possible to be prepared for the unexpected? Yes it is, but only if you focus on developing and implementing sound incident management practices.
This includes everything from initial detection of an intrusion in the IT environment to response and recovery services. But here’s the rub: Incident management programs are useless if they can’t detect an incident or attack in real time. This is the key component to the IT security universe.
Where old incident management falls short
The primary goal of traditional incident management systems is identifying a breach and returning to “business as normal” after an IT incident. It doesn’t matter if it was caused by a network outage, denial of service attack, or more severely, a malicious attack, breach, or theft of data. But most incident management systems fall short of this goal, as these disjointed systems often miss attacks and breaches.
Recent data suggests companies are still struggling with initial detection of a compromise or breach. According to the Ponemon Institute, on average it takes retail and financial services companies 197 days and 98 days, respectively, to detect a compromise.
A dual answer to security
Detection is the problem, and it’s a significant one. Really, the goals of incident management must be prevention and detection. This proactive approach reduces risk to the organization, and shifts the focus to combining advanced tools and better-trained analysts who can make use of them. These advanced security technologies include intrusion detection tools and programs capable of automated monitoring and review of event logs for all critical systems and security devices.
Focus on prevention and detection is needed because many companies that suffered major breaches in the past two years had incident management technologies deployed, but still were unable to detect and respond to the breaches as they occurred. These technologies, while providing much needed automation, still require analysts and operators that are trained on how to use the technologies and how to spot the indicators of compromise or attack.
Within the IT community there is a growing understanding that the best way to defend against any type of network attack or breach is to implement continuous network monitoring capabilities. Continuous network monitoring gives an IT/IS staff the ability to see the entire network, including network traffic, behaviors and actions of all users, and near real-time security management, and the effectiveness of deployed threat detection and prevention technologies.
The five points to secure your network
Where can organizations start? What should IT look for in an incident management solution? Here are five prongs that a solution must have in order to increase security and provide a clear look into the network.
1. Track your hardware and software inventory. What assets exist in your environment? You must identify the authorized – and even unauthorized – hardware and software accessing your system, including personal devices, unknown endpoints, virtual systems, cloud applications, and operating systems. The optimal incident management solution should include technologies that constantly search for and discover new devices and applications in near real time.
2. Continuously remove vulnerabilities and misconfigurations. Remove all vulnerabilities by implementing continuous monitoring controls that can apply patches, and have a method in place to update system configurations to limit exploits and apply additional host or network security monitoring.
3. Deploy a secure network. Network security must be a daily practice, and multiple technologies that prevent or detect malicious activity can be deployed. These include anti-virus protection, system monitoring, and intrusion prevention software.
4. Give users access to only what they need. Your users should have a business need to access specific systems and data. System admins should limit administrative privileges, avoid default accounts, control log-all accesses, and enforce strong password practices.
5. Search for malware and intruders. The best defenses still have a hole or two, so actively monitor all systems to detect anomalies and exploits. Constant monitoring will catch intruders early, and implementing the previous four suggestions will make monitoring easier. Plus, the system will create audits that can be used in system analysis, if a breach does occur.
A robust incident management program begins with and revolves around incident detection. Knowing everything that is happening on your network is the only way to achieve early incident detection and response.
The best way to make this happen is through continuous network monitoring. Prevention and detection are the top priorities in protecting IT infrastructure, and an incident management system that actively improves its security and monitors possible points of intrusion (like mobile devices) will best assist IT in these goals.
Jeff Man is a Tenable strategist specializing in compliance. He has over 30 years of information security experience, including cryptography, information security, and most recently PCI. Jeff has served as a QSA and trusted advisor for both VeriSign and AT&T Consulting. As an NSA cryptographer, he oversaw completion of some of the first software-based cryptosystems ever produced for the high-profile government agency.