At the ready: Incident response
At the ready: Incident response

Incident response has become a more complex art, says Rusty Agee, the city of Charlotte's security leader. Karen Epper Hoffman reports.

By most accounts, last year's Democratic National Convention (DNC) was a rousing success. And at least some small part of that is owing to Rusty Agee's progressive approach to incident response (IR).

Not a politician or an event organizer, Agee is instead the information security engineer for the city of Charlotte, N.C., where the convention was held in early September 2012. A high-profile national forum, the DNC undoubtedly would have been a major target for hackers of all stripes, and yet the event went through with nary a major reported cyber security breach. With support from the city's IR vendor, Agee says that if a major attack had occurred, the IT team was ready.

“We haven't had any significant incidents to speak of for quite some time,” Agee says, conceding that the city still deals with the routine infected machines and malware outbreaks. “When I was first doing security, we all worried about someone hacking into the network. But over the last few years, the industry as a whole has come to realize that you have the threat of [people] trying to hack in, and it's a lot easier for users on the network to make mistakes…It's caused us all to be a lot more proactive.”

Agee began working for the city of Charlotte's network team in 1999 as a contractor before moving in-house and then to the security side in 2007. Since then, he has seen incident response evolve greatly. In his current position, he is responsible for maintaining the busy city's network of 6,500 users across more than 100 locations, including fire stations, police satellite buildings, utilities, solid waste facilities and the transportation and engineering departments. One of his major decisions as the city's top information security engineer came in 2010, when he decided to replace Charlotte's outdated incident management system with a more up-to-date security information and event management (SIEM) system. 

The old IR system was not only going into end of life, but while it was efficient at collecting logs, it was not easy to get the data out of it, Agee says. With the implementation of the new platform in early 2011, Agee and his team are now able to generate and collect logs and analyze data from multiple sources to obtain a better picture of what behavior is normal and what is suspicious. “Now we can drill down with a couple of clicks,” he says, adding that the new system offers an enhanced view of the network from before and after intrusion, and fits in well with the new role-based security that the city has implemented.

Manageability, control and ease of use are becoming more important selling points to IR technology, as organizations increasingly recognize that the threat of a breach is more than a threat – it's an inevitability. In the face of some bruising incursions, industry observers point out that companies and government agencies are finally realizing that it's just a matter of time before their number comes up. And that is impacting the way they handle incident response from top to bottom.

“[Cyber attacks] have always been a reality,” says Tom Cross, director of security research for Lancope, an Alpharetta, Ga.-based security and network performance monitoring company. “But one thing that has changed is the appreciation for the sophistication of certain kinds of attacks.”