Incident Response: More Art than Science

Five to ten years ago, the cybersecurity industry was mainly focused on incident prevention with tools like endpoint antivirus software, firewalls, IDS/IPS, and web threat gateways.  This perspective changed around 2010, driven by the Google Aurora and the subsequent obsession on advanced persistent threats (APTs). 

These and other events convinced the cybersecurity community that hackers could easily circumvent standard prevention-centric security controls so we needed much better tools for incident detection on endpoints and the network.

Over the last year or so, the cybersecurity winds have shifted once again.  With the onslaught of new detection engines, CISOs need ways to collect, process, analyze, and react to volumes of incident detection data in a timely fashion so they can actually respond to incidents.  Why the change  Incident response (IR) is where technology meets humanity as it depends upon the instincts, experience, skills, and methodologies of really smart people.  These individuals, and the processes they create, are the essential ingredients for discovering and addressing cyber-attacks efficiently and effectively – at each and every organization.

So incident response is built upon a foundation of brainy intuitive people and their own quirky processes.  Unfortunately, this makes incident response more art than science and lots of organizations just can’t find the IR equivalents of Monet, Picasso, and Rembrandt.  This shortfall can lead to lots of IR problems.  According to ESG research for example, (note: I am an ESG employee):

Recognizing the array of incident response weaknesses, the cybersecurity industry is now responding to this growing opportunity.  There have been a few acquisitions in this area like FireEye’s purchase of Mandiant and Proofpoint’s grab of NetCitadel.  Burgeoning IR requirements is also creating the integrated cybersecurity orchestration platform (ICOP) market with products from the likes of CSG Invotas, Phantom Cyber, and Resilient Systems.  Finally, firms like IBM, RSA, and Symantec are elbowing their way into the lucrative IR services market dominated by Mandiant.

All in all, everyone seems anxious to address IR deficiencies but we are just scratching the surface.  In my humble opinion, the cybersecurity community needs a much broader collective IR effort in areas such as:

Lots of people paint but only few produce masterpieces.  As long as IR remains more art than science, we can expect a handful of experts and an abundance of amateurs.  It will take a cooperative effort from the cybersecurity village to bridge this gap. 


Jon Oltsik

Kommentare zum Artikel

comments powered by Disqus
Zur Startseite