The future of Incident Response?

e2e attended the SecurityExpo at Excel earlier in the week and managed to listen to a few key note speakers. We were very interested in ‘The Future of Incident Response’ talk by Bruce Schneier and thought we should add our thoughts…

So what do e2e think is the future of incident response?

Incident response is all about Technology, Process and People

Technology is in an abundance, you can take your pick from a vast pool of excellent commercial and open source security tools. Technology slowly gets better but in the security/protective monitoring space we aren’t expecting technology to provide all the answers in the future.

Process or processes are becoming more important. Organisations that recognise that security technology is relatively pointless without good processes are on the right path. Processes are important in incident response as they ensure that the most efficient course of action is taken - vital in the ‘few against many’ scenarios we find ourselves in when defending against Cyber-attacks. So processes need to keep evolving in the future and we need to learn to practice them. There is no other way to do this bit, just ask the Forces. Practice responding over and over again until you have it nailed. Even roll out the stopwatches…

People are the key to effective response. We often try to explain why by contrasting a security event with a typical operational event such as a server failing. There are very few ‘on or off/0 or 1/broken or fixed/up or down’ type of security events that can automatically be rectified. Whilst we can understand that we could use technology to restart a failed server process automatically we can find few examples of applying automation to security events. Why? Security events are ‘maybe’s’, ‘could be’s’, and ‘might be’s’. They aren’t ‘down or up’; they are something else. To find out what they are requires people. Expert people. Expert people with practised processes and excellent, focused technology. The processes and technology should be designed to serve the person. In incident response they are indeed subservient.

The future of incident response according to e2e? A shift from expecting technology to solve the problem to relying on people.

Stop investing in the latest SEIM, stop swooning over ‘big data’ and start with your people.

Written on October 10, 2014