Incident Response: Where Time IS Money

by Al Hartmann

July 9, 2015

access_time 4 min read

Incident Response: Where Time IS Money

Yesterday was quite a day in the world of network security (cyber security for you hipsters). First, United Airlines grounded flights because of a technical ‘glitch’, followed shortly by the New York Stock Exchange (NYSE) announcing they were halting all trading. This news was, of course, reported by The Wall Street Journal… which was then offline just a short time later.

And panic ensues on the Interwebs! Twitter was abuzz with rumors of a massive and well-coordinated cyber attack. Folks were jumping of the virtual bridge and declaring a virtual Armageddon.

Chaos ensued until each organization made public declarations that the problems were NOT the result of any cyber attacks, but instead that dreaded and inconclusive ‘technical glitch’.

Attack or Glitch: Visibility Is The Actual Problem
Today’s environment simply now assumes ‘attack’ instead of ‘glitch’ and, let’s be honest, a great team of hackers can make them look the same as well. We still don’t know the full details around any of the problems from July 8th, and probably never will (although rumors are already leaking of some network resiliency problems with one of the biggest ISPs). But the fact remains that when something like this happens the thing an organization needs is simply: answers.

Data suggests that each hour of incident response may cost thousands of dollars an hour, and in the case of businesses such as NYSE and United that doesn’t take into consideration the impact of the downtime. The board of directors at these companies don’t want to hear that something like this will take hours, and they might not even care how it happened, they just want it resolved quickly.

This is why you hear so much about visibility…and I’ll be the first to admit that it’s an overused term. But it’s critical in times of emergencies like yesterday that an organization know all the endpoints in their environment and the contextual behavior behind those endpoints. It might be a laptop, a desktop, a server and it might be online or offline. In our new era of security, where the concept of “prevent & block” is no longer an appropriate strategy, our ability to “rapidly detect & respond” has become more and more critical.

So how are you making the transition to this new era of security? How do you minimize the time in determining whether it was an attack or a glitch, and what to do about it?