Better Incident Response Is the Real Game Changer

Josh Beckett As usual, on my very long drive to work, I was getting my daily fix of NPR and a couple of stories prompted me to write today.  First was a story that had to do with one of the interesting side effects of moneyball and how it was making baseball games longer by increasing the value of players that get walks.  More walks = longer games = less action = more fan boredom.  Their take away from this...you get what you ask for.  Not very security-esque, but stay with me.

The second story had to do with one of those agencies that's been in the news lately for monitoring lots and lots of email and phone communications.  I've heard claims that all three branches of government had oversight into the process.  It struck me that there is a major problem with that claim.  They were all sworn to secrecy and operating behind closed doors.  No transparency; just a tacit statement that we only look at the facts relevant to the bad stuff.  Ok, so how are they related?



Well, the only organizations that can afford to operate a vast and inefficient net that swallows up every bit of data without concern for false positives are government-run ones, and particularly secret ones.  The rest of us that operate on limited budgets and are bound by market economics must reduce the noise wherever and whenever possible.  We simply don't have time and resources to waste on chasing down unimportant or unrelated things.

The lastest buzzword in many security circles is data analytics.  Although, on the surface, such a concept is really just what these government programs are doing.  Grab every bit of data and sort out later what could be important using the concept of "I'll know what's important when I see it."  I grant this works when you are dealing with the over-the-network communications of bad guys around the globe planning terrorist attacks; as long as the rest of us don't mind our privacy being compromised.  Sadly, polls seem to indicate that most people don't as long as the spin is right on the story.  Of course, if the good guys can do this, and the bad guys can get into just about any network, can't the bad guys find all the stuff that the good guys aren't looking at?  Article for another day.

The challenge when it comes to security in the non-government sector is that our worlds are a lot smaller.  We don't have the benefit of being capable of intercepting the planning intel before the attack.  We are only capable of finding out there was a plot to rob the bank after the thieves are running out the door with the goods in their hands.  So our problem is different.  The data must enable the ability to respond quicker.  The window from security breach to data exfiltration is small indeed.  Action must be exceedingly fast and automated where possible.

We are in the process of getting what we have asked for with many of the data analytics solutions out there today.  The question is and remains, will it make the game fundamentally better or worse?  Will we be able to plow through these mountains of data and sort the wheat from the chaff in time to keep the silo from burning down?

Faster and more accurate incident response is what we need and should be asking for.  If the data within the analytics capabilities enables a faster response process that is creates the ability to clearly target only the bad, and reduce false positives to near zero, then automating response is possible.  That, my friends, is good security.  Action that ignores the unimportant and only responds against what is malicious is very useful and beneficial in the cyber-info-war that the good guys are losing badly today.