Making the case for 'live' incident response

By Eric B. Parizo, Senior Site Editor 28 Apr 2009 | SearchSecurityChannel.com

Security Channel Update Digg This!     StumbleUpon     Del.icio.us

WASHINGTON D.C. -- When it comes to incident response, there's one message Matthew M. Shannon wants the security channel to learn about dealing with potentially compromised machines: don't assume they must be immediately shut down.

The most important piece of any incident response plan is buy-in on the executive level. Matthew M. Shannon, principal of information security assessments and computer forensics, Agile Risk Management LLC

Speaking Tuesday at the Computer Forensics Show, Shannon, principal of information security assessments and computer forensics for Tampa, Fla.-based consulting firm Agile Risk Management LLC, said many of today's incident response tools enable live forensics without pulling a suspect computer off the network.

Shannon said in the traditional incident response paradigm, it often takes several hours in a best-case scenario to identify a potential compromise, shut down a target machine, make a duplicate image of the hard drive and begin the analysis. Even with all that work, it's not always possible to determine the cause of the attack, resulting in a sunk cost for a customer.

"And during the time you're spending making that image an attacker could have hacked into five or six other machines," Shannon said.

Forensics investigation: How to secure the chain of custody in a digital forensics investigation: Digital forensics experts are expensive, which means most customers are turning to service providers to gather evidence and secure a chain of custody. Incident response services: A five-step program for security VARs: A security incident can shake your client's faith in the network you helped secure. In this tip, learn about incident response and how to maintain a healthy relationship with your clients.

Alternatively, live forensic analysis is not only faster, Shannon said, but also more useful. For instance, live analysis may reveal attack methods that would be undetectable after a system shutdown, such as one that uses the computer's memory without writing to the hard drive.

Plus, Shannon added, as hard drive sizes continue to increase, recreating drive images in their entirety -- especially for a multitude of compromised customer machines -- may not be efficient, especially when live analysis can quickly pinpoint the source of the attack.

While some may express concern about violating traditional incident response processes and being unable to use the data as part of a civil or criminal case, Shannon said there's no legal mandate that requires an original hard drive image; all that's necessary is documentation of how the forensic findings were acquired.

"There's an established process for incident response," Shannon said. "I'm not saying throw that out, but often there's a better way to do it."

Attendee Peter Starceski, a Michigan-based principal systems engineer for a large software firm, said that the concept of live incident response has merit, but it's unlikely that every incident could be dealt with in that way.

Starceski said it's important that integrators educate customers on the differences between the techniques, and that they understand how and why live forensics would be employed should an incident take place.

Shannon offered a number of other best practices for successful integrator incident response, including being ready to respond quickly and making sure the staff is familiar with how to use forensics tools, both on-site and remotely.

He highly recommended that solution providers teach their customers basic "first aid" skills for dealing with the immediate aftermath of a security incident. His company has found that providing customers with read-only incident response tools to collect volatile system data like physical memory data enables them to be part of the process without the risk of corrupting key data.

"We found if we taught [customers] the basic skills and tools, then it made our job easier and it made working with them easier," Shannon said. "Does that mean in certain cases we didn't get called in? Sure, of course. But in the large, important cases, we got the phone call."

He also emphasized making sure customers have detailed incident response plans that identify the roles of key stakeholders and mesh with the organization's business strategy.

"The most important piece of any incident response plan is buy-in on the executive level," Shannon said. "Without that, it's just words on paper."

Tags: Data breach and leak prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security solution provider business management Managed security service provider guide Microsoft-IBM competition fuels SMB, midmarket channel opportunities How channel partners can profit from security vendor consolidation EMC announces enhanced partner program McAfee and Extreme Networks partner for secure networking Zecurion launches new channel partner program SonicWall to offer cloud-based antispam service Microsoft Partner Network allows for better customer relationships MSPAlliance accreditation programs vet managed services firms and practitioners Survey: Financial services sector may soon start spending on security Data breach and leak prevention Data protection fueled by data leakage prevention products and services Security channel can't ignore full-disk encryption products, services Vulnerabilities, regulatory compliance drive data protection market Sophos integrates encryption into endpoint, email security Maintaining your customers' security amid layoffs Mass. data protection law 201 CMR 17: How to get customers ready Data breach prevention techniques: Helping customers avoid data breaches PGP partners with Avnet to boost channel play Data protection services offer revenue for security solution providers SenSage tapped to participate in McAfee's Sales Teaming Program

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary