SDL and Incident Response ◾ 223
Response Control Objectives
e control objectives for this tactic are based on timeliness, quality, and preparedness.
Table 11.6 maps response attributes to specifi c baselines. e type (hard or soft) is used to
denote how the metric for each control objective is collected. Soft indicates a procedure-based
control, while hard denotes a technology-based (i.e., automated) control.
ese control objectives form the basis for timely, comprehensive, and accurate responses to
incidents and customer inquiries. e control objectives enforce rapid response objectives through
a structured process of evaluation, containment, resolution, and restoration. e control objectives
also guard against false alarms and protect against things “slipping through the cracks” by using
incident tracking tickets. e following actions are recommended to facilitate security responses:
1. Survey existing response plans and procedures to identify gaps in coverage for diff erent
sources of incidents (e.g., insider, partner connections, external hacker, etc.).
2. Survey existing response resources (tools) and expertise to identify KSA defi ciencies, missing
coverage, and training requirements.
3. Assess the risks associated with existing response and resolution time lines including escala-
tion time lines.
4. Update existing standards to conform to security strategic objectives for security responses
including criteria for triage evaluations and severity ratings.
5. Create a threat knowledge base to facilitate triage eff orts.
6. Compile a list of all resources that may be required to facilitate incident response including
network and server administrators, engineers, and team leads.
7. Review and update application development processes (in-house or contracted) to incorpo-
rate automated response guidance for all development eff orts (in-house and contracted).
8. Survey existing reports and report-generating mechanisms to identify gaps in vertical, hori-
zontal, and compliance reporting.
9. Defi ne and incorporate reporting commonality requirements for commercial off -the-shelf
(COTS) products into procurement standards.
10. Review your corporation’s data retention and security labeling policies to determine how they
may impact your data management schema for reporting systems and report generation.
11. Form the basic teams responsible for managing responses to facility and IT security incidents
(i.e., Incident Response Teams) and beginning planning training and practice sessions to
ensure that personnel are profi cient at dealing with incidents both quickly and accurately.
12. Consider outsourcing event triage and evaluation to a MSSP.
Conclusion
e two interrelated tactics covered in this chapter—software security and incident response—
are grouped together because the majority of attacks and security compromises take place at the
application level. Addressing this issue must be one of our principal strategic objectives. e shift
of attack focus is due to the huge increase in application targets and the lack of good application
programming practices. ere are a limited number of attack scenarios against applications. We
have focused this chapter on tactics that address attack scenarios, not attack methods, because it
is a better way to examine threats across a broad range of attacks. Our eff orts have concentrated
on tactics that best address current application-level defi ciencies, including Security Development
TAF-K11348-10-0301-C011.indd 223TAF-K11348-10-0301-C011.indd 223 8/18/10 3:11:05 PM8/18/10 3:11:05 PM