Incident Response Enables Innovation
Draconian security controls, processes, and polices are stillborn or will be in the near-future. It will go the way of on-premise exchange, slow-moving monolithic IT departments, and Usenet. Heavy-handed security practices may never die, but they will slowly atrophy into irrelevance just like the IT of yesterday. Incident Response empowered through technologies like SOAR, automated case management, and Enterprise Detection and Response (EDR) allow businesses to rapidly contain potential security compromises and to adapt to unknown attacks at the speed of business and innovation.
It is a dream for many Cybersecurity professionals to have an iron-grip on an organization and lock-down any all privileges to what users need to do to accomplish their duties and nothing more. Application white-listing, internet white-listing, and two-party approval of duties sounds like a panacea but in reality it can increase threat rigidity in organization until the organization atrophies and dies. As organizations run faster to cloud-technologies, grey-back security personnel (architects) run and hide from these technologies. As and Incident Responder you should run head-long into these technologies. The ability to have coverage over your assets wherever they may run, or hide is exactly what we’ve wanted forever. Application white-listing, wonderful though it may be, is a nightmare to deploy on a developer’s system. Something way more useful would be something like EDR, where a SOC can monitor and alert on a system and rapidly respond based on alerts. Thereby not hampering innovation for the developer to ensure that business goals are met. Implementing a preventative control in and environment takes and unbelievable amount of political capital that a Cyber Security department can accrue a negative balance with one failed project.
Those organizations that want to innovate and adapt in an agile manner yet want to protect themselves against attacks should invest in Incident Response. IR only requires a few significant projects to deploy, and small things like centralized logging, EDR tool-sets, packet captures, and standard operating procedures will pay off in dividends. Most of these technologies can be applied to much more than just security, troubleshooting a production issue with centralized logging and the ability to dynamically capture packets will shorten mean time to resolution to almost zero. Ensuring visibility into an organization requires visibility of the entire organization which can allow IR personnel a truly unique vision of an organization that Operations and other organizations can exploit to a tremendous extent. Draconian preventative controls like IPS, Application Whitelisting, and in the older days – Firewalls and AV – caused so many headaches organizations don’t deploy another security control for decades after these technologies.
The Cybersecurity problem is too big, narrow your focus. Having the ability to rapidly detect, contain, eradicate, and restore are the basis for any security program. Cybersecurity departments should focus threats and attacks, not on building infrastructure. Let infrastructure people do that – let loose the reigns on security and allow infrastructure hire some Cybersecurity practitioners directly.