SDL and Incident Response ◾ 219
Another type of vertical reporting is dashboarding. Summaries of information are presented in
graphical format with deltas from previous reporting periods noted. e dashboard in Figure 11.8
shows three summary categories: business risk profi le, update compliance, and baseline privacy
compliance.
e report contains an overall business risk profi le as well as updated compliance and base-
line compliance values. Each is accompanied by a summary of the elements contributing to the
measurement result. In this example, changes from the previous report are shown as deltas, and
the results from the 12 previous reports are presented as average values. e reporting interval for
vertical reports will vary based on organizational needs; monthly is common. e distribution of
the report will also vary. At a minimum, it should be distributed to senior and executive IT man-
agement and department heads.
Horizontal reports are more technical in nature than vertical reports. ey typically contain
details on specifi c activities that can be used for postmortem assessments, compliance proofs, pro-
cess improvement, planning, and so on. e sample horizontal report is a list of incident tickets
with calculated response and resolution times (see Table 11.5).
Incidents are listed in chronological order and criticality. e reporting interval for horizontal
reports depends on established reporting time lines for legal, contractual, and regulatory com-
pliance and other business requirements. e distribution of horizontal reports will also vary
depending on content.
Rapid Response Drivers and Benefi ts
e biggest driver behind response is loss prevention; alerts are generated because malicious or
potentially malicious activity is taking place. e faster that activity can be squelched, the less the
Increase
shareholder
value
Increase
customer
value
Increase
margins
Improve
brand
Increase
margins
Optimize
incident
response
Increase
KSA’s
Improve security
controls
Build a
security culture
Improve
security
communications
Reduce
operating
cost
Financial
Strategy map
Strategic
objectives
Performance
measures
Security
initiatives
Customer
Internal
process
Learning and
growing
• Increase
shareholder
value
• Decrease costs
• Increase margins
• Increase
shareholder
value
• Decrease costs
• Increase
margins
• Security
convergence
project
• Increase
customer value
• Increase brand
recognition
• Customer
reporting portal
• CCD build out
• ONE operations
center
• ONE security
portal
• ONE response
team
• ONE operations
center
• ONE security
portal
• ONE response
team
• SOC build out
• Security portal
build out
• Scheduled CERT
practice
• ONE security
awareness
• Excellence in ID
management
• ONE team
training
• ONE security
awareness
• % reduce time in
uses provisioning
• % increase in
required KSA’s
• Security
awareness training
• AIDS program
design
• Staff KSA and
cross trainings
• On demand
customer
reporting portal
• Accountability
Figure 11.7 Balanced scorecard sample.
TAF-K11348-10-0301-C011.indd 219TAF-K11348-10-0301-C011.indd 219 8/18/10 3:11:05 PM8/18/10 3:11:05 PM
220 ◾ Security Strategy: From Requirements to Reality
resulting damage. In this context, loss prevention is more than the loss of assets; it also encom-
passes loss of reputation and customer confi dence, unrecoverable restoration costs, notifi cation
costs, downstream liabilities, and legal liabilities from civil actions. ese represent a substan-
tial loss liability that increases until the incident is resolved. e second driver is compliance;
compliance reporting has very specifi c time lines. A good response capability allows compliance
Preparation phase
-Determine criticality and
release schedule
-Define scope
-Build and test packages
Discovery phase
-Vendor notifications
-Industry sources
-Commercial services
Preparation phase
-Determine measurement
criteria
-Configure and test
measurement tools
Measure phase
-Deploy tests
-Measure compliance
-Horizontal reporting to system
owners and administrators
Enforcement phase
-Notify non-compliance
-Excalate non-compliance
-Take encforcement action
-Handle exceptions
-Vertical reporting to
accountable parties and
management
Testing phase
-Test update compatibility
-Test update performance
-Identify issues
-Solicited vendor assistance
Deployment phase
-Enable deployment
mechanisms
-Update systems
-Update standard build
-Identify exceptions
Remediation phase
-Resolve issues
-Request exception
Update management
Compliance management
Deployment and compliance timeliness
Figure 11.8 Sample vertical report.
Table 11.5 Sample Horizontal Report
Updated Compliance Report, May 15, 2010
Date Node Service Owner Status Check
May 15,
2010 1400
Mtg0-TL5EXFE01 Web Mail macssupport@
elensolar.com
Failed AP-Parent paths
disabled
May 15,
2010 1402
Mtg0-
TL5EXHUB01
Business
Intelligence
macssupport@
elensolar.com
Failed UP-Critical
updates installed
May 15,
2010 1411
Std0-TL5SPWS01 SharePoint macssupport@
elensolar.com
Failed OS-Supported
version
May 15,
2010 1412
Mtg0-TL5OCS01 OCS macssupport@
elensolar.com
Failed SQL-Restricted
CmdExec
May 15,
2010 1418
Std0-TL5EHS01 Exchange
Hosted
Service
ehssupport@
elensolar.com
Failed AP-Signatures
current
TAF-K11348-10-0301-C011.indd 220TAF-K11348-10-0301-C011.indd 220 8/18/10 3:11:05 PM8/18/10 3:11:05 PM
SDL and Incident Response ◾ 221
information to be quickly compiled and reported on. is capability also applies to customer sat-
isfaction because it provides timely responses to customer queries, and it also increases the value
of security services to the organization when query capabilities are directly available to customers
(e.g., a reporting portal).
Another rapid response benefi t is preparedness. A well-designed and practiced response capa-
bility assures an eff ective accurate response to incidents. All the tools and resources required are
available at the time the alert is received; all the information required to make good response deci-
sions is present. Instead of throwing the organization into chaos, the situation is dealt with quickly
and professionally, demonstrating the added value security brings to the organization.
Response Challenges
e major challenges to this tactic are quality of information and the lack of existing tools
and commonality. Response accuracy and eff ectiveness are based on good weaponry and
high-quality information. e lack of commonality scatters information across multiple
platforms, making the collection and collation of data diffi cult. e lack of commonality
in transfer protocols and record formats only exacerbates the problem, hampering response
timeliness and accuracy. e lack of quality information is more prevalent at the application
layer because audit trail and intrusion detection functionality are not present nor are they
likely to be present in the near future. is lack of commonality and information quality
also aff ects compliance. Compliance is based on proof, but the majority of existing audit
mechanisms are designed for debugging; the information captured is insuffi cient to meet the
evidentiary requirements of compliance.
Response Success Factors and Lessons Learned
Success is when you have 13 soldiers fi ghting off 300 rebels without a single loss of life or a breach
of Carmarthen Castle perimeter defenses. We need that type of prepared, practiced, and orga-
nized response. It is undoubtedly one of the best ways to demonstrate the value security adds to
the organization.
Incident response requires the cooperation of many diff erent business functions and the avail-
ability of multiple resources throughout the organizations. e only way to guarantee this level
of cooperation is to have executive sponsorship. Along with acquiring the cooperation of various
business groups for incident response, it is also wise to have clearly defi ned roles and responsibili-
ties so that business leaders know exactly what they are committing to.
Other lessons learned include the following:
Overcome denial and blame—Past failures and fi nger pointing often make it diffi cult to ◾
garner the cooperation needed to build a good response capability. Get over it! Response
is not about who did what in the past, but about preventing loss. Fix the problem and
move on.
Identify the internal expertise you have and make friends with them. ◾
Have well-defi ned evaluation criteria and escalation time lines. ◾
Be prepared! Practice the plan regularly and keep your stockpile of weaponry (tools) up to ◾
date.
Have prearranged external resources (e.g., a red team) that can assist when needed; retained ◾
services are recommended.
TAF-K11348-10-0301-C011.indd 221TAF-K11348-10-0301-C011.indd 221 8/18/10 3:11:05 PM8/18/10 3:11:05 PM
222 ◾ Security Strategy: From Requirements to Reality
Table 11.6 Response Control Objectives
Attribute/Control Type Risk and Requirements
Coverage Soft Response mechanisms must:
- Be able to import/receive, process, and respond to security
alerts from any source.
- Have required expertise (knowledge, skills, and abilities)
available at all times.
Incident Responses
Timely Hard Response mechanisms shall process alerts in real time. The
interval of time between the receipt of an alert and the
creation and routing of an incident tracking ticket shall be kept
to a minimum and escalated in accordance with established
standards.
Accurate Hard Responses shall, to the best extent possible, apply response
actions to the specifi c system that generated the alert (i.e., not
respond to or interfere with any other system).
Comprehensive Hard Responses shall be comprehensive, identifying and containing
all instances of an event.
Prioritized Responses shall be prioritized to ensure critical threats and
threats to high-value assets are resolved fi rst.
Economic Responses shall be in stages and should only proceed to the
next stage when necessary.
Reponses to the greatest extent possible shall make the most
effi cient use of internal expertise (not pull people away from
their duties unnecessarily).
Prepared Response mechanisms shall remain in a high state of readiness:
- Procedures shall be current.
- Personnel shall be trained.
- Personnel shall be drilled in response procedures.
- Tools and supporting equipment shall be maintained and up
to date.
Nonincident Responses
Timely Hard Response mechanisms shall process customer inquiries in a
timely manner and generate responses in accordance with
established schedules or time lines.
Comprehensive Hard Responses shall be to the best extent possible comprehensive,
containing all of the information requested in the inquiry.
TAF-K11348-10-0301-C011.indd 222TAF-K11348-10-0301-C011.indd 222 8/18/10 3:11:05 PM8/18/10 3:11:05 PM
SDL and Incident Response ◾ 223
Response Control Objectives
e control objectives for this tactic are based on timeliness, quality, and preparedness.
Table 11.6 maps response attributes to specifi c baselines. e type (hard or soft) is used to
denote how the metric for each control objective is collected. Soft indicates a procedure-based
control, while hard denotes a technology-based (i.e., automated) control.
ese control objectives form the basis for timely, comprehensive, and accurate responses to
incidents and customer inquiries. e control objectives enforce rapid response objectives through
a structured process of evaluation, containment, resolution, and restoration. e control objectives
also guard against false alarms and protect against things “slipping through the cracks” by using
incident tracking tickets. e following actions are recommended to facilitate security responses:
1. Survey existing response plans and procedures to identify gaps in coverage for diff erent
sources of incidents (e.g., insider, partner connections, external hacker, etc.).
2. Survey existing response resources (tools) and expertise to identify KSA defi ciencies, missing
coverage, and training requirements.
3. Assess the risks associated with existing response and resolution time lines including escala-
tion time lines.
4. Update existing standards to conform to security strategic objectives for security responses
including criteria for triage evaluations and severity ratings.
5. Create a threat knowledge base to facilitate triage eff orts.
6. Compile a list of all resources that may be required to facilitate incident response including
network and server administrators, engineers, and team leads.
7. Review and update application development processes (in-house or contracted) to incorpo-
rate automated response guidance for all development eff orts (in-house and contracted).
8. Survey existing reports and report-generating mechanisms to identify gaps in vertical, hori-
zontal, and compliance reporting.
9. Defi ne and incorporate reporting commonality requirements for commercial off -the-shelf
(COTS) products into procurement standards.
10. Review your corporation’s data retention and security labeling policies to determine how they
may impact your data management schema for reporting systems and report generation.
11. Form the basic teams responsible for managing responses to facility and IT security incidents
(i.e., Incident Response Teams) and beginning planning training and practice sessions to
ensure that personnel are profi cient at dealing with incidents both quickly and accurately.
12. Consider outsourcing event triage and evaluation to a MSSP.
Conclusion
e two interrelated tactics covered in this chapter—software security and incident response—
are grouped together because the majority of attacks and security compromises take place at the
application level. Addressing this issue must be one of our principal strategic objectives. e shift
of attack focus is due to the huge increase in application targets and the lack of good application
programming practices. ere are a limited number of attack scenarios against applications. We
have focused this chapter on tactics that address attack scenarios, not attack methods, because it
is a better way to examine threats across a broad range of attacks. Our eff orts have concentrated
on tactics that best address current application-level defi ciencies, including Security Development
TAF-K11348-10-0301-C011.indd 223TAF-K11348-10-0301-C011.indd 223 8/18/10 3:11:05 PM8/18/10 3:11:05 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.