Sat Aug 30 13:02:59 PDT 2014

Incidents: Detection and response: What are the process requirements for detection and response?


Options:

Option 1: Detect and respond as fast as possible.
Option 2: Detect and respond as slowly as possible without knowingly causing a great deal of harm.
Option 3: Detect things that have obvious impacts and respond to them based on available resources and business impact.
Option 4: Detect and respond in time to mitigate potentially serious negative consequences.

Basis:

Detect and respond in time to mitigate potentially serious negative consequences.
This is the ideal approach, but it is hard to do. In order to mitigate event sequences with potentially serious negative consequences through timely detection and response, you must first understand the event sequences and their consequences. This analysis requires business modeling, comprehensive risk management, and a wide arrange of other capabilities. The requirements of Sarbanes Oxley regulations mandate that certain enterprises take risk management more seriously in order to present realistic risk information to potential and current shareholders. If this process is used wisely, it can greatly facilitate the internal decisions about what event sequences are of such consequence as to warrant timely detection and response. From there the time frames required for risk mitigation and the resulting techniques to be applied should become apparent. Because of the time and effort required for this level of understanding and design, it is appropriate only to situations in which adequate consequences are present to justify the cost of being careful in the defense. Thus its applicability for medium and high risk situations.

Detect and respond as slowly as possible without knowingly causing a great deal of harm.
While going slowly has advantages in terms of costs, it has the major disadvantage that large losses can happen quickly. Slow response can turn minor incidents into catastrophic failures. Large businesses have failed in one-time incidents that required rapid reaction but got only a slow reaction. The key to this approach is understanding enough to make reasonable and prudent decisions about how slow is still fast enough. This requires substantial analysis.

Detect things that have obvious impacts and respond to them based on available resources and business impact.
This is a straight forward position in which whatever detection is in place is used and business impact assessment and available resources are balanced, typically by executive decision-making. It runs the risk of any relatively ill-defined decision process, but if the management is effective at doing its jobs and risks are not too high, this approach can work well. It is also reasonably well suited to enterprises that handle a lot of incidents with 24x7 internal staff but who don't have any very high risk levels that require a more optimized approach.

Detect and respond as fast as possible.
For enterprises who are not prepared well in advance, there is little choice but to treat everything as an emergency because there is no way to really know what is and is not how important. This is likely to be very expensive except for the lowest risk organizations who notice very few attacks.

Maximum response and mitigation times. Time is a key issue in incident handling. For enterprises that have well-defined approaches, time limits should be identified with and/or identifiable and tracked/measured with regard to responses (first acts to mitigate) and mitigation (termination of the undesirable condition) in cases where consequences are medium or high. Ideally, such times represent planning based on business consequences and are controlled by work flow systems and related mechanisms that prioritize actions and assign duties and resources.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved