Showing posts with label containment. Show all posts
Showing posts with label containment. Show all posts

Thursday, January 09, 2014

What Does "One Hour" Mean for Incident Response?

Yesterday, 8 January 2014, was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 11th birthday of TaoSecurity Blog. Please check out my happy 10th birthday post if you want to know why I don't blog much! In brief: Twitter.
I just read a story which I thought required more than 140 characters of attention: OMB revising data breach reporting requirements by Jason Miller. It says in part:
GAO found OMB's requirement to submit information about data breaches to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DHS U.S. Computer Emergency Readiness Team (US-CERT) within an hour after discovering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach is of little value...
"Officials at agencies and US-CERT generally agreed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current requirement that PII-related incidents be reported within one hour may be difficult to meet and may not provide US-CERT with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best information," auditors wrote.
"Specifically, officials at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army, FDIC, FRB, FRTIB, and SEC indicated that it was difficult to prepare a meaningful report on a PII incident to US-CERT within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one-hour time frame required by OMB. The officials stated that meaningful information on an incident is often not available in that time frame, and reporting an incident to US-CERT without all relevant details would likely be of limited value. While VA officials stated that most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir incidents are reported in less than an hour, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do not believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time frame is consistent with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r US-CERT reporting guidelines and that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incidents would more appropriately be reported on a weekly basis."
US-CERT told GAO that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one-hour time frame doesn't give a clear picture of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reported incident and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information isn't used to help remediate incidents or provide technical support to agencies.
"Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, US-CERT's Chief of Performance Metrics confirmed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast majority of PII-related data breaches are not cybersecurity-related," cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 report stated. "Specifically, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 official estimated that seven of every eight reported breaches do not involve attacks on or threats to government systems or networks...
Additionally, OMB staff said that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were unaware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rationale for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one-hour time frame, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than a general concern that agencies report PII incidents promptly.




I'm not quite sure if OMB required reporting all incidents within an hour, or just "PII-related incidents." The latter seems true, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article mentions reporting ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r incidents within an hour.
If you've heard me speak or read my fourth book, The Practice of Network Security Monitoring, you will recall me mentioning "one hour." The one hour in my context is time from detection to containment. There is no explicit time reporting requirement. There is a difference between notification to implement containment and writing a thorough investigative report.
Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, my one hour recommendation is a requirement for high severity intrusions, not every incident. (The meanings of all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se words matter, hence cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bold and underline formatting.) Not all incidents are intrusions. Please see my 2009 post on intrusion ratings for examples of different severities.
The reason to strive for one hour from detection to containment is to implement cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 strategy of limiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder's time of maneuver. If you can stop an intruder from accomplishing his ultimate objective, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that he penetrated your resistance systems is less important. What's important is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder didn't complete his mission.
The fact that "OMB staff said... cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were unaware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rationale for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one-hour time frame" shows that requirement was divorced from an articulated, thoughtful, grounded defensive strategy. There is nothing magic about one hour, although I believe it represents an aggressive yet realistic containment requirement for organizations willing to invest in thorough and comprehensive detection, response, and containment processes and technology staffed by motivated CIRT members.
Ideally you implement one hour from intrusion to recovery, but let's save that even more aggressive goal for a time when you can implement one hour from detection to containment!
If you want to read more, chapter 9 of my book explains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se ideas. Use code NSM101 to save 30% off when ordering from No Starch.