Академический Документы
Профессиональный Документы
Культура Документы
EXECUTIVE SUMMARY
Information security attacks have become more targeted, more sophisticated, more
adaptable and harder to find. As it becomes more difficult to prevent attacks,
information security professionals must do a better job responding by reducing
attackers free time within the network, getting to the root cause faster, and learning
from each attack to reduce future risk.
Organizations incident readiness and response often falls short in ten areas that span
people, processes and technology. By tackling these shortcomings, security
professionals can reduce risk by providing early warnings of potential problems, rather
than scrambling to chase the latest threat.
RSA Whitepaper
page 2
page 3
Such a run book might include, for example, step-by-step instructions for responses
to common events and incidents such as detection of malware, rootkits and rogue
wireless devices. Other responses might apply to potentially risky conditions such as
unwanted administrative access to executive mailboxes and attempts to access known
malware domains. Organizations should leverage industry best practices for incident
response procedures, such as those from NIST, VERIS and the SANS Institute. They
should also document their own best practice procedures and prepare run books to
assure a more consistent response to future incidents.
Tip 5: Improve vulnerability management. The move to bring your own device, and
the use of on-demand cloud platforms by business units unwilling to wait for formal IT
procurement processes, makes it harder to find rogue IT systems that could pose a
security threat.
A review of network traffic will likely reveal unknown systems and unexpected data
flows that have bypassed IT asset governance processes. It can also reveal outdated
operating systems, browsers and versions of Java that can be exploited in attacks.
Vulnerability scans also reveal unpatched and non-compliant configurations that pose
security risks. Organizations need to look beyond reports that run thousands or tens
of thousands of pages and lack the business context to prioritize which systems are
most important to the organization. (See Tip 7 below for details on how to perform
such business-centric vulnerability ranking.)
An effective patching process should also assess the risk and cost of each patch. It
may include, depending on the criticality of the issue, testing to ensure the patch
doesnt conflict with other elements in the environment. It should also include rollback and recovery procedures in case the patch does cause a service interruption.
Tip 6: Learn from past incidents and breaches. Effective incident response improves
the organizations security posture over time. This requires thorough and complete
documentation of the incident response both during and after the investigation. (See
Tip 7 below for what a security incident response tracking system should contain.)
That data should be used to improve the organizations processes and systems for
detecting, investigating and limiting the damage from future incidents. The data
should address metrics such as mean time to incident detection and resolution, as
well as indicate the general level of effectiveness of existing countermeasures. This
enables the organization to determine whether budget is being allocated optimally.
Furthermore, those in charge of a Critical Incident Response Center (CIRC) or a Security
Operations Center (SOC) need the authority and internal stakeholder support to
investigate and respond to incidents as they see fit.
To achieve continued improvement, response processes must be repeatable and
measurable through key performance indicators (KPIs) that are relevant to the
business. If one KPI is time to resolution, the organizations performance against it
can help identify what people, processes or technology helped or stood in the way of
reaching that goal. An incident management system can help identify the root cause
and set a measurable goal to learn from the past and measure whether and how the
response is improving.
More mature organizations also document use cases that describe actual response
situations and threat scenarios specific to them. This helps assure that the rest of the
team can learn from past incidents and improve their response.
page 4
page 5
page 4
page 4
ABOUT RSA
RSA, The Security Division of EMC, is the premier provider of intelligence-driven
security solutions. RSA helps the worlds leading organizations solve their most
complex and sensitive security challenges: managing organizational risk,
safeguarding mobile access and collaboration, preventing online fraud, and
defending against advanced threats. RSA delivers agile controls for identity
assurance, fraud detection, and data protection, robust Security Analytics and
industry-leading GRC capabilities, and expert consulting and advisory services.
For more information, please visit www.RSA.com.
EMC2, EMC, the EMC logo, RSA, and the RSA logo are registered trademarks or trademarks of EMC Corporation in
the United States and other countries.
Copyright 2014 EMC Corporation. All rights reserved.
www.rsa.com
H13297