Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention (Linux.com)
Schneier: The most important takeaway is that we are all vulnerable to this sort of attack. Whether it's nation-state hackers (Sony), hactivists (HB Gary Federal, Hacking Team), insiders (NSA, US State Department), or who-knows-who (Saudi Arabia), stealing and publishing an organization's internal documents can be a devastating attack. We need to think more about this tactic: less how to prevent it -- we're already doing that and it's not working -- and more how to deal with it. Because as more people wake up and realize how devastating an attack it is, the more we're going to see it."
Posted Jul 15, 2015 20:08 UTC (Wed)
by dlang (guest, #313)
[Link] (3 responses)
You can't do either exclusively, but I've seen organizations that try to ignore prevention in favor of quick response, and they are insanely busy responding to all the incidents that could have been prevented.
I've also seen organizations that put all their effort into prevention, and as long as they have detection in place to detect when the prevention fails, it ends up working better. The response may be far more haphazard than an org that puts more effort into planning resposes, but they don't have to do nearly as much of it.
ideally neither gets starved and you have a robust prevention program as well as a decent response program.
If I had to prioritize one over the other though, I would prioritize prevention rather than respose. Just don't ignore response.
Posted Jul 15, 2015 20:49 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
> If I had to prioritize one over the other though, I would prioritize prevention rather than response. Just don't ignore response.
To quote from the article ... "Right now, response is the worst of the three and the area where organizations need the most improvement". So you and Schneier are singing from the same hymn-sheet.
Cheers,
Posted Jul 15, 2015 21:29 UTC (Wed)
by wahern (subscriber, #37304)
[Link] (1 responses)
The overlap in detection and response is in determining the scope and effect of the breach. How many times does a corporation say, "we've detected an intrusion but we've been assured only X was taken and all is now well." Who actually believes such statements? It's garbage. They're almost always speaking from a position of ignorance about the real severity and scope of the intrusion.
A robust response capability requires excellent communication among groups, and accurate, timely, and comprehensive data about the state of infrastructure (routers, servers, etc). These things are _also_ critical for prevention, where such knowledge and agility are key components in keeping systems upgraded and patched. So it would almost necessarily follow that poor response capabilities reflect poor prevention capabilities.
I agree that prevention is paramount, if only because it's much more concrete and measurable. But detection and response provide priceless signals about the state of prevention, and thus guidance on where to focus and prioritize resources. If people falsely consider that a license to take short-cuts in prevention, that's their problem.
Posted Jul 15, 2015 21:54 UTC (Wed)
by dlang (guest, #313)
[Link]
the headline is misleading at best
The statement "IT Teams Need Cyberattack Response Planning More Than Prevention" is just wrong. saying that response planning has been neglected and needs more improvement than prevention would be a reasonable statement.
But FAR to many management types will look at the headline and agree with what it says.
Also, far too many security types will jump on the bandwagon as well.
it's easy to measure the effort and success of responses, it's hard to measure the success of prevention.
Posted Jul 15, 2015 21:31 UTC (Wed)
by ballombe (subscriber, #9523)
[Link] (4 responses)
Posted Jul 15, 2015 22:45 UTC (Wed)
by raven667 (subscriber, #5198)
[Link]
Posted Jul 16, 2015 3:39 UTC (Thu)
by roc (subscriber, #30627)
[Link] (2 responses)
Posted Jul 17, 2015 6:35 UTC (Fri)
by KSteffensen (guest, #68295)
[Link] (1 responses)
Posted Jul 19, 2015 8:55 UTC (Sun)
by roc (subscriber, #30627)
[Link]
Posted Jul 15, 2015 22:03 UTC (Wed)
by dlang (guest, #313)
[Link] (3 responses)
So what sort of response are you going to make other than "it happened and we'll try to make it so that people don't misbehave in the future'?
Posted Jul 16, 2015 12:45 UTC (Thu)
by imitev (guest, #60045)
[Link] (2 responses)
You're obtuse. As mentioned in previous posts, thinking about a proper response to compromises helps you prevent such compromises in the first place. And that's not just technically (like defense in depth, up to date machines, blahblah).
Don't tell me that this doesn't happen, I see that all the time. Security people are the ones who prevent the work from being done, and when employees or clients push the management strong enough, the management ends up giving stupid orders without really understanding the consequences. Another reason is that temporary stuff (creating database blah for only a few days for client X) ends up being used forever.
And after an intrusion, what about
and I can continue with a bunch of other examples, but you got the point.
Posted Jul 16, 2015 21:57 UTC (Thu)
by dlang (guest, #313)
[Link] (1 responses)
Response Planning is cleaning up compromised systems and dealing with the PR/legal issues that happen AFTER you are compromised.
If the attacker is defacing systems, or installing malware, there's cleanup to do, but if they are copying data out, there's not much you can do other than the PR stuff without jumping back into prevention.
to quote the article:
> Whether it's nation-state hackers (Sony), hactivists (HB Gary Federal, Hacking Team), insiders (NSA, US State Department), or who-knows-who (Saudi Arabia), stealing and publishing an organization's internal documents can be a devastating attack. We need to think more about this tactic: less how to prevent it -- we're already doing that and it's not working -- and more how to deal with it.
If you aren't working to prevent the data leaking out, I don't believe that there is much that you can actually do to deal with the results of it having been exposed.
I can't see how you would read this to be the scenario that you paint of the conversation with the CEO.
As for the "what does a sysadmin do after an intrusion", if it's something like Sony, Snowden, etc the sysadmin isn't going to know the data was lost until long after the fact.
The problem with saying that data X Y and Z were lost is that you really aren't going to know what was accessed without a lot of research into your logs (and that can only happen if you took the preventative step of having logs of the access in sufficient detail in the first place)
But in any case, nobody believes the PR statements anyway, and it will take a lot more than just one company being honest to change this.
Posted Jul 18, 2015 12:18 UTC (Sat)
by imitev (guest, #60045)
[Link]
> Whether it's nation-state hackers (Sony), hactivists (HB Gary Federal, Hacking Team), insiders (NSA, US State Department), or who-knows-who (Saudi Arabia), stealing and publishing an organization's internal documents can be a devastating attack. We need to think more about this tactic: less how to prevent it -- we're already doing that and it's not working -- and more how to deal with it.
>> If you aren't working to prevent the data leaking out, I don't believe that there is much that you can actually do to deal with the results of it having been exposed.
You're interpreting the arcticle in a strange way ; there's no way Schneier would advocate dropping the prevention and focusing only on response. He's only putting an emphasize on response since 1- given that leaks happen anyway even with good prevention, there should be a proper response planning, which almost never implemented in many companies, and 2- he's working for a company providing such services so you should expect such comments.
Also, by experience, the "prevention" you're talking about often boils down to:
In that (not so bright) light, response planning meetings at the management level will uncover problems at the prevention level (if not for the mere fact that given the recent spotlight on response planning, CEOs could decide that it woold be a good idea to implement it, only to find out that the prevention planning imagined by the IT department was not-that-great).
>> The problem with saying that data X Y and Z were lost is that you really aren't going to know what was accessed without a lot of research into your logs (and that can only happen if you took the preventative step of having logs of the access in sufficient detail in the first place)
Sure, but it'll be better to say that it'll take time to investigate rather than saying nothing was stolen.
Posted Jul 16, 2015 19:35 UTC (Thu)
by butlerm (subscriber, #13312)
[Link] (1 responses)
Posted Jul 16, 2015 21:27 UTC (Thu)
by ncm (guest, #165)
[Link]
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Wol
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
So a good cyberattack response planning for any IT person is to work for an ethical organization.
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Let me see:
- response guy: what kind of response will we give if your secret database X is compromised ?
- CEO: eh ? isn't that info supposed to be in our super-secure-LAN ?
- IT: hmm, no, we moved it to some-unsecure-network because important client Y didn't want to install a VPN (or you-name-it whatever stupid but pseudo valid reason).
If you can regularly assess response to compromising your existing infrastructure you'll be able to fix your infrastructure first.
- proper sysadmin response to manage compromised servers (do I poweroff them ? Do I pull the network cable ? Do I try to dump the RAM and dd the disks while still on ? ...
- proper PR - it's much more credible to say at once that data X and Y and Z was stolen, rather than saying that nothing was stolen, then data X, then later Y, and then much later Z, which kind of proves your incompetence and shows that you really don't know what's in your network.
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
- a set of security best practices that are more or less followed
- sometimes, an automated network scanner whose purpose is to find all workstations in a corporate network to make sure they are centrally managed - in contrast to understanding what data they hold, which is equally (if not more) important.
- meetings within the IT department about how to secure - say - a new DB server, but not about re-assessing the status of existing infrastructure (eg. the server that was supposed to be for tests with fake data, which slowly became a production server).
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention(Linux.com)