In his Black Hat 2014 session entitled “The State of Incident Response,” security guru Bruce Schneier, CTO of Co3 Systems, Inc., said that hackers will invariably breach networks, but it is what comes next that really matters.
Placing a great deal of emphasis on automated systems and technology being used to support the people needed for incident response, Schneier proposed a four-step approach: observe, context, decide, and act.
Observe means knowing what is happening on networks in real-time, which can be done using log monitoring, log analysis tools, network management tools and the like, Schneier said.
Context is tantamount to gathering data and intelligence, as in knowing the latest malware and vulnerabilities. Decide involves figuring out what needs to be done in the moment and who should have the power to make decisions. Then act follows suit.
“The goal here is to bring people, process and technology together in a way that hasn't been done before,” Schneier said, explaining that the industry has a lot to learn from other disciplines that have been practicing generic crisis management for decades.
Schneier opened up his session touching on some trends he is seeing in cyber security, beginning with the increasing lack of control of IT infrastructure.
“The rise of cloud computing means we have a lot less control of our data,” Schneier said, explaining that organizations are outsourcing, thus giving vendors more control, and users a lot less visibility.
Schneier said that attackers are becoming more sophisticated. He said there are supply chains for cyber crime, and tactics are becoming more alike, as well, making it harder to distinguish between a hobbyist and a nation-state hacker.
On the topic of nation-state hackers, Schneier noted increasing government involvement in cyberspace. He said that countries are building cyber weapons and stockpiling vulnerabilities.
The days of letting the industry take care of incident response are quickly coming to an end, according to Schneier, who said that government requirements for data safety are coming.
Schneier also touched on some IT economics relevant to security, including the notion of fixed cost versus marginal cost, or development costs versus the cost to make each individual thing. In IT, most cost is in development, and theft of the result of that development is a powerful attack, he said.