Cyber Incident Response Plan (Part 1)

The value of your cyber incident response plan becomes stronger as various global incidents unfold.  Just today, I was going through my news feeds and came across a post titled “Cybersecurity: Defending ‘unpreventable’ cyber attacks” by Paul Rubens from BBC News and one word stood out, “Vigilance”.


Cyber Incident Response Plan
The question of network security and visibility has been asked quite a bit in the past few months. It seems like every other day we see a new post about some big attack costing millions of dollars. From theTarget security breach to the politically motivated Sony attacks, the means of how to deal with the issue have been brought into question.

We are now coming to the realization that it is difficult, if not impossible to stop these types of attacks. Administrators really need to stop focusing all of their attention on preventing intruders from getting into their computer networks, and concentrate more on minimizing the damage that the attack can cause when it does happen.

“Right now most companies are underestimating risk. So the question they need to be asking is, “How do I change what I do to take into account this risk?’” – says James Lewis, a cybersecurity expert at the Washington DC-based Center for Strategic and International Studies (CSIS).

As we learned, or maybe didn’t learn with Sony, being able to detect the breach as quickly as possible and also having the correct tools and resources to analyze network data is what helps to lessen the impact of the attack and its overall cost. That is why having your incident response plan include NetFlow and IPFIX technology and then using it to record and monitor your networks conversations should be a big part of your incident response teams training. By employing an advanced netFlow Analyzer that not only allows you to store all of the required data but also provides the intelligence to be proactive and detect possible traffic abnormalities you will get the upper hand in the fight.

As the BBC article suggest, being vigilant is the key to securing your network in today’s chaotic world. This means that you need to make sure you choose a tool that uses some of today’s advanced traffic monitoring protocols like NetFlow and IPFIX but, honestly, that isn’t enough. Sure, when the alarms ring and you are under an attack having extensively detailed historical information will definitely help your incident response team resolve the issue faster but that might only happen 1% of the time. What about the other 99% of the time? How can you use this technology to be vigilant?

So how should this fit in my Incident Response Plan?

This is where I think the BBC article is spot on. No matter how many times the sales people tell you the opposite, no one tool is going to make your network secure. In today’s world we have to have multiple layers, multiple monitors, and multiple guards. NetFlow and IPFIX technology gives you the visibility into network traffic that just wasn’t there in years past. Now, when you combine this with your firewalls, IDS and other security tools you are one step closer to having a system that can withstand an attack. Imagine having a record of every conversation that had happened for the past six plus months.  Then imagine having those resources at your finger tips during a major network breach? Imagine how valuable that would be. Imagine how much money that would save the company. Now take that a step further, what if you tailor this tool to monitor for specific issues?

Build monitors from your own reports.

One example where we helped a client meet government compliance and build their own monitoring tools with Scrutinizer was with a local university. One of the many requirements for compliance was to monitor for specific IP traffic going to the students’ records’ servers and be alerted. Basically, they needed to know if any IPs outside the range of the allowed ones were communicating with that range of servers. This was not only for compliance but also a requirement for local and federal grants so having this type of flexibility in a NetFlow monitoring tool was needed. In this case we used Scrutinizer’s filtering tool and threshold option to quickly create a tool that provided that needed “Vigilance”. As you can see in the picture above, I have created a unique dashboard view. This allows me to displays all of my security reports on one pane of glass and at the same time provides me with the insight my incident response plan requires.

Use Flow Analytic’s Intelligence to work for you.

Another example where flow technology helps keep you secure the other 99% of the time is by identifying network anomalies with the concept of Network Behavior Anomaly Detection (NBAD). When you combine this type of intelligence with historical data the value of NetFlow and IPFIX Analysis really start to play a significant role in your IRP. Simply put, by leveraging flow data to monitor behaviors, some types of malware and other traffic anomalies can be detected before it becomes a much larger issue. Remember, these threats can lay dormant on your network for months, having the historical data allows you to search for those tiny conversations and eliminate any other network devices that are infected.

In part 2 of my Cyber Incident Response Plan, we will learn how to build our own monitoring tools with Scrutinizer.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s