Forensic incident response to the fore
We've recently been witnessing tremendous change in perspective when it comes to IT security. It started in early 2010 when Google announced publicly that it had been the victim of a sophisticated cyber attack. Later, more companies went public: software makers, defense contractors, computer and networking companies, and most recently the security and domain name registrar VeriSign.
I don't believe these incidents are a blip, but rather a flip. A flip in the way organizations view coming forth publicly about significant IT security incidents. The shroud of embarrassment associated with breaches has been lifting. I suspect in the year ahead we will see many more breach announcements. Not only because Google helped make it more acceptable, but because it's required in many cases now as we detailed in “SEC Cybersecurity Guidelines -- What You Should Know.” The SEC is all but making it a mandate for public companies to report significant incidents.
More importantly, what does all of this mean for the IT security industry? Has any of it changed the way enterprises view security? Fortunately, yes. The message is clear: Even the most sophisticated companies can be breached.
This is changing the way many in IT security view their profession. The industry is no longer viewed as just about firewalls, secure sockets layer (SSL), anti-virus, and intrusion detection and prevention systems. While such defenses are vital, no one can architect an impenetrable enterprise-wide defense.
Jon Oltsik, a principal analyst at Enterprise Strategy Group (ESG), gets this. In a recent post he argues that, “Large organizations need best practices for inevitable security events.”
It's absolutely so. When it's finally understood that a certain percentage of attacks will be successful, incident response and forensics become much more important.
For instance, ESG's research found that 20 percent of large enterprises are certain that they've been the target of an advanced attack (often referred to as an advanced persistent threat), while another 39 percent believe that they've likely been targeted. That's roughly 60 percent of organizations who have good reason to believe that they've been targeted by attackers who are skilled at what they do. Personally, I think a good percentage of those who don't think so either have nothing worthwhile to steal, or they're burying their head in the sand.
Something worth noting about the ESG research findings is that organizations seemed to be challenged when it came to actually having the internal technical chops necessary to respond to an incident. They may lack the staff necessary to respond, or the technology, policies, procedures, and even proper internal communications plans.
Oltsik believes that more CEOs are likely to increase security budgets this year and put the pieces in place necessary for their organizations to more effectively respond to security breaches.
It's not just executive leadership that is taking notice of the need for incident response. The topic is getting increasing media attention after years and years of inattention.
It's a great sign to see more news items tackling the topic. It shows a general maturing of IT security.
One example is an interesting story last month in DarkReading. The piece highlights how organizations can overcome staff shortages, lack of skills and lack of incident preparedness.
While surveys, news stories and opinions are some indicators, when trying to determine the accurate direction of a trend it's always good to gather information from multiple data points.
Joseph Naghdi of Computer Forensics Lab, says, “there is definitely an uptake in hires for forensic experts, and this trend will continue.
Anthony DiBello is the product marketing manager for compliance and cybersecurity solutions at Guidance Software. The company will be returning to the RSA Conference this year and will be located at booth 136.