A key point that stood out to me were some of the challenges of IDS. I have not personally implemented or managed one but a few things stood out to me as particularly challenging: difficulty of normalizing the different logs so they can be integrated, challenges with meaningful correlation rules, need for tuning to manage false positives. To me, this stood out as meaning that implementing an effective IDS is easier said than done! I would imagine a lot of organizations invest a lot in an IDS but do not realize the value because they didn’t spend the time or effort to set it up right.
No matter how much security is implemented in an organization’s network or applications there is always the possibility of an incident of occurring. Incidents range in severity from false alarms, minor incidents, major incidents, and disasters. The last two severities have the capability of interrupting core business functionality which can result in financial loss, so organizations should have continuity and/or disaster recovery plans in place to help quickly respond to such incidents. It is important to have response plans in place and practice those plans with rehearsal to understand if there are any flaws. It will also give people experience for when a real incident occurs and hopefully result in less human error during such a stressful situation.
I’d take it one step further and say that regardless of the amount of security, there’s always a probably of an incident occurring — at least over time. Every organization is going to experience an incident at some point, guaranteed. The major incidents you mentioned become less likely with more security. Perhaps a virus infection can be detected earlier and quarantined to one machine. BCPs and DRPs are how organizations can minimize the negative effects of disasters and operating disruptions. There are dozens of sayings that apply here: “Failing to plan means planning to fail.” “Prepare for the worst” etc. As you mention, those plans need to be tested and practiced. Otherwise, they might as well not exist.
Personally, I think one of the most important aspects of network monitoring and logging is event correlation. Alerts, errors, etc. happen constantly by the hundreds of thousands. There are more logs generated than can ever be examined by a human. Even correlation can take seemingly normal events across several different system, spot patterns, and detect malicious behavior. Someone’s account failing to log in to an application isn’t a big deal. But if that same network account is failing three times trying to log into all the different applications, that’s a red flag. Correlating events through a SIEM takes log monitoring to the next level.
Hi Jonathan. Thank you for your comment about monitoring and logging correlation. I concur, there are way too many logs generated, however, not enough monitoring of what alerts or errors actually need professional attention of action. As you mention, SIEM would assist in better monitoring all the logs being created in an information system. Perhaps also creating a team of professionals whose whole only role is to monitor and attend to these alerts assist in improving cybersecurity.
One of the parts I have learned from Chapter 10 Incident and Disaster Response is IT Disaster Recovery. IT disaster recovery is one of the business continuity subsets. It specifically focuses on the technology after the disaster of how to get IT back into operation using backup facilities. There are different types of backup facilities: Hot sites, cold sites, and site sharing with continuous data protection. Each type has its pros and cons. The hot site provides power, HVAC, and computers that are ready to add data to the site at a high cost. Cold sites have no computer equipment but less expensive. Select a backup site location are also important. It needs to ensure the backup site would not be shut down at the same time with the same or different disaster and available to use in a short period. A continuous data protection plan is necessary. It allows to respond and recover the disaster quickly.
Regardless of how good companies security may be, being prepared to handle security incidents, breaches, and/or compromises is the way to go. Efficiency and speed are some key factors that are needed in approaching these incidents to prevent losses. However, going over things too quickly may work in favor of the attacker and cause even more damage. Plan ahead because what you do to prevent any incidents beforehand is generally more critical than after the incident occurs.
Good point. Companies definitely need to be prepared to handle IS incidents. The lack of tools or resources to adequately identify, analyze, contain, and mitigate, against future incidents are all important, as a simple small-scale attack could quickly turn into an APT.
An interesting takeaway from this reading is collecting and managing the evidence following a information security incident. IT security staff are not only involved and tasked with managing various aspects of the incident and disaster response, but they also need to collect and manage evidence following an IT security incident. Specifically, they need to be familiar with local police cybercrime unit and local FBI cybercrime understand the basic rules of evidence handling, for example pull the plug on affected servers, use specially made evidence bags for handling wireless devices as they are designed to prevent wireless signals, and documenting chain of custody – that involves documenting the history of transfers between persons and the actions taken to protect the same in each person’s custody. One would imagine that there would be training to ensure that an entity’s cyber security team is fully aware of the these steps that have to be followed, in event of an IS incident.
I think understanding the four primary functions of intrusion detection systems is important. First and foremost, an IDS logs all activity detected on the host or network segment it is scanning on. Second, it performs automated analysis on that activity in an effort to identify threats as they occur. An IDS can perform analysis by comparing behavior to known attack signatures, or by comparing logged behavior to expected behavior based on historic network use. Third, the IDS can set off an alarm if and when it detects a potential threat. An alarm in this context is an alert to system administrators with information about the location, time, and nature of the potential threat. Finally, an IDS typically includes a variety of management tools, such as log summary reports and a utility for manual log analysis.
In my current role I am fairly familiar with business continuity planning, management, and disaster recovery preparedness. The key learning for me this chapter was related to IT disaster recovery, as I was not as familiar with this topic. This section of the chapter explained the importance of management being aware of and involved in the IT disaster recovery plans not just the “techies”. The story outlining the examples of the two law firms impacted by the attack on the world trade center was very eye opening as one year after the attack, one of the firms was still not yet up and running due to lack of disaster planning. The chapter also explained the different options for back-up facilities (hot sites, cold sites, and site sharing with continuous data protection). Another important factor to consider is the location of back-up sites. They should be close enough so that employees can access them, yet far enough away that they are not at risk for being impacted by the same natural disaster. This section also describes the critical components to consider in the event of a disaster such as information maintained by office PCs, centralized data back-up for these PCs, and being able to distribute new computers quickly with the correct applications and information which lends to data recovery considerations. Lastly, this section discusses the importance of realistic testing and rehearsing of the IT disaster recovery plan, for all parties to be a prepared as possible in the event of a disaster.
In this week’s reading, an important takeaway I learned from chapter # 10 was that a business continuity plan or BCP specifies how a company plans to restore or maintain core business operations and processes when a disaster occurs. The BCP plan specifies what business steps will be taken, not simply what technological actions need to be taken in order to restore the business back to normal. Some of the principles of business continuity management are: Protect people first – which includes having evacuation plans and drills and Communication – Try to compensate for inevitable breakdowns. The BCP should also be frequently tested to make sure the scope of the disasters takes account of all operations and processes. Testing the plan can also make sure that the BCP plan is still effective, updated, and efficient to the current business practices. Since business conditions change and sometimes people change roles or positions, it is important that the BCP plan is frequently tested and updated as per the needs of the organization.
The BCP plan is important, and if it is paired with a Disaster Recovery Plan, from the IT perspective then a company should have a better chance for a quicker recovery and continuity. Regular testing of the plans will help increase the awareness and hopefully efficiency of a quicker recovery.
A key takeaway I learned from this chapter is about containment, how to stop the damage. There are a few main steps to take, first is disconnection. Disconnection from the server from the LAN and the entire system’s connection to the internet stops intrusions and prevents the server from the malicious users. Disconnection helps the attacker by making the server completely unavailable. Black-holing the attacker is a way of cutting off the attacker’s IP address, dropping all future connections to that IP address automatically. However, this alerts the attacker that they’ve been discovered and has them come back with a different IP address and approach. The next practice is to continue collecting as much data about the malicious attackers as possible if the damage is not too severe yet. After this would be containment.
I thought the point on containment was very interesting too. It’s not only important to stop the attack, but separate affected areas before it spreads to other areas. Depending on the type of attack, the malicious program or virus can spread very rapidly
I think that Boyle and Panko did a great job in Section 10.2, “The Intrusion Response Process for Major Incidents”. The way that it is described, Detection, Analysis, Escalation, Containment and Recovery is very helpful. It described the process very effectively. The rest of the chapter may be a bit of individual circumstances based on your business’s approach, such as , Apology,. Punishment and Prosecution, each business will handle a potential attempt differently. It may not be necesarry to apoligize (depends on information taken and customers/employees impacted or not), Punish, maybe the employee did nothing wrong, or prosecute, maybe the company does not have enough to prosecute, or can not pinpoint the actual suspect.
One of the key points I learned from this chapter is the four-level severity scale for incidents – false alarms, minor in minor incidents that can be handled by the on-duty IT staff, major incidents that require the convening of the firm’s CSIRT, and disasters that affect IT alone or threaten business continuity for the entire firm. For all incidents and disasters, speed and accuracy are critical. These require extensive planning and rehearsals. Organizations have to plan in detail how they will respond to major incidents and disasters. No plan will precisely fit an incident. However, doing improvisation within a plan is far more effective than working without a plan.
For me, section 10.2.4 was extremely interesting and often overlooked when an incident occurs. After an incident occurs, your customers need some sort of explanation as to what happened. No matter who was at fault, it is important to first apologize to your customers, but also explain what happened to them as well. As the chapter outlines, this does not have to be a technical response but should be detailed enough so the users understand exactly what happened. Finally, users should be made aware of compensation they may be eligible for. What I’ve noticed is that rarely do companies get remembered for having an appropriate public response to an incident (Home Depot in 2014), but are remembered for responding poorly (Uber). This is why this section is so important to disaster response.
Testing and updating a business continuity plan is an important aspect of the effectiveness of the business continuity plan. The text highlighted the need for regular testing to ensure the accuracy and effectiveness of the plan. It is important to ensure the plan covers new changes to the organization and all information regarding the point of contact is up to date.
Incident and Disaster Response are absolutely vital to a business’s life. It is resiliency that is the difference between a company going under or surviving in a doomsday scenario. This goes further than just a cyber incident, but traditionally, it is a weather event that causes a disaster recovery response. That being said, mother nature is pretty relentless. A weather event could easily turn into a cyber event via the destruction of servers. Geographical location should be taken into consideration when considering where to host your servers or your backup servers. If you live in Miami, maybe host backups somewhere where there aren’t hurricanes every year. The same goes for earthquakes in California and tornadoes in the midwest. This becomes a very feasible risk elimination in the age of the cloud. It’s interesting to see how technological advancements could virtually eliminate the risk of mother nature.
The key point that stood out to me in this reading is business continuity planning. The reading states a business continuity plan specifies how a company plans to restore or maintain core business operations when disasters occur. The reading describes what an effective BCP should contain. Where I see organizations fail in BCP planning is a many cases there are critical business process that only one person knows how to do and if this person is out or leaves abruptly, the process fails. Organization must be sure that all critical process have documented standard of procedures are more that one personnel is trained on the process.
Every business needs protection, and needs to know how they will manage an emergency when it occurs. How quickly your company gets back to business after an emergency often depends on the planning you do now.
Megan Hall says
A key point that stood out to me were some of the challenges of IDS. I have not personally implemented or managed one but a few things stood out to me as particularly challenging: difficulty of normalizing the different logs so they can be integrated, challenges with meaningful correlation rules, need for tuning to manage false positives. To me, this stood out as meaning that implementing an effective IDS is easier said than done! I would imagine a lot of organizations invest a lot in an IDS but do not realize the value because they didn’t spend the time or effort to set it up right.
Nicholas Fabrizio says
No matter how much security is implemented in an organization’s network or applications there is always the possibility of an incident of occurring. Incidents range in severity from false alarms, minor incidents, major incidents, and disasters. The last two severities have the capability of interrupting core business functionality which can result in financial loss, so organizations should have continuity and/or disaster recovery plans in place to help quickly respond to such incidents. It is important to have response plans in place and practice those plans with rehearsal to understand if there are any flaws. It will also give people experience for when a real incident occurs and hopefully result in less human error during such a stressful situation.
Jonathan Mettus says
I’d take it one step further and say that regardless of the amount of security, there’s always a probably of an incident occurring — at least over time. Every organization is going to experience an incident at some point, guaranteed. The major incidents you mentioned become less likely with more security. Perhaps a virus infection can be detected earlier and quarantined to one machine. BCPs and DRPs are how organizations can minimize the negative effects of disasters and operating disruptions. There are dozens of sayings that apply here: “Failing to plan means planning to fail.” “Prepare for the worst” etc. As you mention, those plans need to be tested and practiced. Otherwise, they might as well not exist.
Jonathan Mettus says
Personally, I think one of the most important aspects of network monitoring and logging is event correlation. Alerts, errors, etc. happen constantly by the hundreds of thousands. There are more logs generated than can ever be examined by a human. Even correlation can take seemingly normal events across several different system, spot patterns, and detect malicious behavior. Someone’s account failing to log in to an application isn’t a big deal. But if that same network account is failing three times trying to log into all the different applications, that’s a red flag. Correlating events through a SIEM takes log monitoring to the next level.
Elias Harake says
Hi Jonathan. Thank you for your comment about monitoring and logging correlation. I concur, there are way too many logs generated, however, not enough monitoring of what alerts or errors actually need professional attention of action. As you mention, SIEM would assist in better monitoring all the logs being created in an information system. Perhaps also creating a team of professionals whose whole only role is to monitor and attend to these alerts assist in improving cybersecurity.
To-Yin Cheng says
One of the parts I have learned from Chapter 10 Incident and Disaster Response is IT Disaster Recovery. IT disaster recovery is one of the business continuity subsets. It specifically focuses on the technology after the disaster of how to get IT back into operation using backup facilities. There are different types of backup facilities: Hot sites, cold sites, and site sharing with continuous data protection. Each type has its pros and cons. The hot site provides power, HVAC, and computers that are ready to add data to the site at a high cost. Cold sites have no computer equipment but less expensive. Select a backup site location are also important. It needs to ensure the backup site would not be shut down at the same time with the same or different disaster and available to use in a short period. A continuous data protection plan is necessary. It allows to respond and recover the disaster quickly.
Christopher Clayton says
Regardless of how good companies security may be, being prepared to handle security incidents, breaches, and/or compromises is the way to go. Efficiency and speed are some key factors that are needed in approaching these incidents to prevent losses. However, going over things too quickly may work in favor of the attacker and cause even more damage. Plan ahead because what you do to prevent any incidents beforehand is generally more critical than after the incident occurs.
Lakshmi Surujnauth says
Good point. Companies definitely need to be prepared to handle IS incidents. The lack of tools or resources to adequately identify, analyze, contain, and mitigate, against future incidents are all important, as a simple small-scale attack could quickly turn into an APT.
Lakshmi Surujnauth says
An interesting takeaway from this reading is collecting and managing the evidence following a information security incident. IT security staff are not only involved and tasked with managing various aspects of the incident and disaster response, but they also need to collect and manage evidence following an IT security incident. Specifically, they need to be familiar with local police cybercrime unit and local FBI cybercrime understand the basic rules of evidence handling, for example pull the plug on affected servers, use specially made evidence bags for handling wireless devices as they are designed to prevent wireless signals, and documenting chain of custody – that involves documenting the history of transfers between persons and the actions taken to protect the same in each person’s custody. One would imagine that there would be training to ensure that an entity’s cyber security team is fully aware of the these steps that have to be followed, in event of an IS incident.
Mitchell Dulaney says
I think understanding the four primary functions of intrusion detection systems is important. First and foremost, an IDS logs all activity detected on the host or network segment it is scanning on. Second, it performs automated analysis on that activity in an effort to identify threats as they occur. An IDS can perform analysis by comparing behavior to known attack signatures, or by comparing logged behavior to expected behavior based on historic network use. Third, the IDS can set off an alarm if and when it detects a potential threat. An alarm in this context is an alert to system administrators with information about the location, time, and nature of the potential threat. Finally, an IDS typically includes a variety of management tools, such as log summary reports and a utility for manual log analysis.
Christa Giordano says
In my current role I am fairly familiar with business continuity planning, management, and disaster recovery preparedness. The key learning for me this chapter was related to IT disaster recovery, as I was not as familiar with this topic. This section of the chapter explained the importance of management being aware of and involved in the IT disaster recovery plans not just the “techies”. The story outlining the examples of the two law firms impacted by the attack on the world trade center was very eye opening as one year after the attack, one of the firms was still not yet up and running due to lack of disaster planning. The chapter also explained the different options for back-up facilities (hot sites, cold sites, and site sharing with continuous data protection). Another important factor to consider is the location of back-up sites. They should be close enough so that employees can access them, yet far enough away that they are not at risk for being impacted by the same natural disaster. This section also describes the critical components to consider in the event of a disaster such as information maintained by office PCs, centralized data back-up for these PCs, and being able to distribute new computers quickly with the correct applications and information which lends to data recovery considerations. Lastly, this section discusses the importance of realistic testing and rehearsing of the IT disaster recovery plan, for all parties to be a prepared as possible in the event of a disaster.
Elias Harake says
In this week’s reading, an important takeaway I learned from chapter # 10 was that a business continuity plan or BCP specifies how a company plans to restore or maintain core business operations and processes when a disaster occurs. The BCP plan specifies what business steps will be taken, not simply what technological actions need to be taken in order to restore the business back to normal. Some of the principles of business continuity management are: Protect people first – which includes having evacuation plans and drills and Communication – Try to compensate for inevitable breakdowns. The BCP should also be frequently tested to make sure the scope of the disasters takes account of all operations and processes. Testing the plan can also make sure that the BCP plan is still effective, updated, and efficient to the current business practices. Since business conditions change and sometimes people change roles or positions, it is important that the BCP plan is frequently tested and updated as per the needs of the organization.
Michael Doherty says
Elias,
The BCP plan is important, and if it is paired with a Disaster Recovery Plan, from the IT perspective then a company should have a better chance for a quicker recovery and continuity. Regular testing of the plans will help increase the awareness and hopefully efficiency of a quicker recovery.
Quynh Nguyen says
A key takeaway I learned from this chapter is about containment, how to stop the damage. There are a few main steps to take, first is disconnection. Disconnection from the server from the LAN and the entire system’s connection to the internet stops intrusions and prevents the server from the malicious users. Disconnection helps the attacker by making the server completely unavailable. Black-holing the attacker is a way of cutting off the attacker’s IP address, dropping all future connections to that IP address automatically. However, this alerts the attacker that they’ve been discovered and has them come back with a different IP address and approach. The next practice is to continue collecting as much data about the malicious attackers as possible if the damage is not too severe yet. After this would be containment.
Charlie Corrao says
I thought the point on containment was very interesting too. It’s not only important to stop the attack, but separate affected areas before it spreads to other areas. Depending on the type of attack, the malicious program or virus can spread very rapidly
Michael Doherty says
I think that Boyle and Panko did a great job in Section 10.2, “The Intrusion Response Process for Major Incidents”. The way that it is described, Detection, Analysis, Escalation, Containment and Recovery is very helpful. It described the process very effectively. The rest of the chapter may be a bit of individual circumstances based on your business’s approach, such as , Apology,. Punishment and Prosecution, each business will handle a potential attempt differently. It may not be necesarry to apoligize (depends on information taken and customers/employees impacted or not), Punish, maybe the employee did nothing wrong, or prosecute, maybe the company does not have enough to prosecute, or can not pinpoint the actual suspect.
Wei Liu says
One of the key points I learned from this chapter is the four-level severity scale for incidents – false alarms, minor in minor incidents that can be handled by the on-duty IT staff, major incidents that require the convening of the firm’s CSIRT, and disasters that affect IT alone or threaten business continuity for the entire firm. For all incidents and disasters, speed and accuracy are critical. These require extensive planning and rehearsals. Organizations have to plan in detail how they will respond to major incidents and disasters. No plan will precisely fit an incident. However, doing improvisation within a plan is far more effective than working without a plan.
Charlie Corrao says
For me, section 10.2.4 was extremely interesting and often overlooked when an incident occurs. After an incident occurs, your customers need some sort of explanation as to what happened. No matter who was at fault, it is important to first apologize to your customers, but also explain what happened to them as well. As the chapter outlines, this does not have to be a technical response but should be detailed enough so the users understand exactly what happened. Finally, users should be made aware of compensation they may be eligible for. What I’ve noticed is that rarely do companies get remembered for having an appropriate public response to an incident (Home Depot in 2014), but are remembered for responding poorly (Uber). This is why this section is so important to disaster response.
Xiduo Liu says
Testing and updating a business continuity plan is an important aspect of the effectiveness of the business continuity plan. The text highlighted the need for regular testing to ensure the accuracy and effectiveness of the plan. It is important to ensure the plan covers new changes to the organization and all information regarding the point of contact is up to date.
Panayiotis Laskaridis says
Incident and Disaster Response are absolutely vital to a business’s life. It is resiliency that is the difference between a company going under or surviving in a doomsday scenario. This goes further than just a cyber incident, but traditionally, it is a weather event that causes a disaster recovery response. That being said, mother nature is pretty relentless. A weather event could easily turn into a cyber event via the destruction of servers. Geographical location should be taken into consideration when considering where to host your servers or your backup servers. If you live in Miami, maybe host backups somewhere where there aren’t hurricanes every year. The same goes for earthquakes in California and tornadoes in the midwest. This becomes a very feasible risk elimination in the age of the cloud. It’s interesting to see how technological advancements could virtually eliminate the risk of mother nature.
Ashleigh Williams says
The key point that stood out to me in this reading is business continuity planning. The reading states a business continuity plan specifies how a company plans to restore or maintain core business operations when disasters occur. The reading describes what an effective BCP should contain. Where I see organizations fail in BCP planning is a many cases there are critical business process that only one person knows how to do and if this person is out or leaves abruptly, the process fails. Organization must be sure that all critical process have documented standard of procedures are more that one personnel is trained on the process.
Christopher Clayton says
Every business needs protection, and needs to know how they will manage an emergency when it occurs. How quickly your company gets back to business after an emergency often depends on the planning you do now.