Fri Dec 5 09:28:48 PST 2014

Incidents: Detection and response: What are the process requirements for detection and response?


Options:

Option 1: Detect and respond as fast as possible.
Option 2: Detect and respond as slowly as possible without knowingly causing a great deal of harm.
Option 3: Detect things that have obvious impacts and respond to them based on available resources and business impact.
Option 4: Detect and respond in time to mitigate potentially serious negative consequences.

Indicate maximum notification (Notice), response (Resp) and mitigation (Mit) times defined and implemented for identified situations [event sequences, incidents, breaches, intelligence] (i.e., events), or [weaknesses or vulnerabilities] (weakness), associated with with high / medium consequences. (copy the consequence table and identify response/mitigation times) Use the table below as/if applicable. For clarity, these are the times between the first knowledge within the organization of information reasonably leading to identification of the situation and; (1) notification of applicable parties, (2) the initiation of response (Resp) specifically to the situation (3) completion of the mitigation effort associated with the situation.

Situation Notice Resp (med) Mit (med) Resp (high) Mit (high)
Intelligence information that may or may not apply to your situation. - - - - -
Adverse intelligence information known or reasonably believed to apply to your situation. - - - - -
Known weakness. - - - - -
Detected event not yet characterized. - - - - -
Detected event resulting in denial of [use / access / services] to [customers / users / others]. - - - - -
Potential [taking / loss / corruption] of [sensitive / identifying] [customer, worker, or market data]. - - - - -
Potential [taking / loss / corruption] of sensitive credit card or credit-related data - - - - -
Potential [taking / loss / corruption] of sensitive personal health information. - - - - -
Potential [taking / loss / corruption] of [confidential / proprietary] personal financial information. - - - - -
Potential [taking / loss / corruption] of confidential / proprietary enterprise financial information. - - - - -
Potential [taking /loss / corruption] of intellectual property like patent background and design data or Trade Secrets. - - - - -
Event with substantial loss of business or harm to brand if uncontrolled. - - - - -
Event that interferes with contracts or upsets customers if uncontrolled. - - - - -
[Event / weakness] of medical treatment, dose, or device controls. - - - - -
Manufacturing processes control [event / weakness]. - - - - -
[Event / weakness] of decision support for matters of life and death. - - - - -
Sensitive data aggregated in volume risky to major customers. - - - - -
[Event / weakness] with major political or environmental implications. - - - - -
[Event / weakness] with supervisory control and data acquisition (SCADA) or related infrastructure systems. - - - - -
[Event / weakness] with legally protected confidential medical, privacy, or other data. - - - - -
[Event / weakness] with [content/ people] related to protective orders. - - - - -
[Event / weakness] with content on legal hold pending disposition. - - - - -
[Event / weakness] with / indicating content reasonably anticipated subject of a law suit. - - - - -
[Event / weakness] effecting content with legally mandated retention or disposition times. - - - - -
[Event / weakness] subject to industry-specific regulations. - - - - -
[Event / weakness] subject to contractually mandated controls. - - - - -
[Event / weakness] related to standards required for treatment. - - - - -
[Event / weakness] related to contractual limitations on [use / sharing / disposition]. - - - - -
[Event / weakness] related to [contract performance data / statements of work / contractual mechanisms]. - - - - -
[Event / weakness] related to content relevant to a law suit. - - - - -
[Event / weakness] related to government classified or restricted data. - - - - -
[Event / weakness] related to [content / systems] owned by a government. - - - - -
[Event / weakness] related to things controlled with regard to [import / export]. - - - - -
[Event / weakness] related to things controlled with regard to transport. - - - - -
[Event / weakness] related to things controlled with regard to some other requirement. - - - - -
[Event / weakness] related to things required by government for reporting purposes. - - - - -
[Event / weakness] related to requirements for tracking controlled [substances / devices / artifacts]. - - - - -
[Event / weakness] related to Local, State, or Federal identification numbers or information (e.g., SSN, drivers licenses) . - - - - -
[Event / weakness] related to credit card information. - - - - -
[Event / weakness] related to biometric data. - - - - -
[Event / weakness] related to financial account information. - - - - -
[Event / weakness] related to medical or healthcare information (test results, fees, providers, etc.) - - - - -
[Event / weakness] related to consumer habits and patterns. - - - - -
[Event / weakness] related to financial information about people or enterprises. - - - - -
[Event / weakness] related to associations between people or groups. - - - - -
[Event / weakness] related to [legal / historical] documents presumed trustworthy - - - - -
[Event / weakness] related to metadata associated with stored content - - - - -
[Event / weakness] related to mechanisms used to link content to metadata - - - - -
[Event / weakness] related to operational information used to support business functions - - - - -
[Event / weakness] related to provenance information associated with content - - - - -
[Event / weakness] related to information used to assert integrity of other content - - - - -
[Event / weakness] related to information used to determine proper accessibility - - - - -
[Event / weakness] related to archived data in authoritative repositories - - - - -
[Event / weakness] related to planning information - - - - -
[Event / weakness] related to mechanisms supporting use of obsolete content forms - - - - -
[Event / weakness] related to chain of preservation or custody data - - - - -
[Event / weakness] related to information provided for transparency - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
Maximum Response and Mitigation Times for Identified Situations

Decision:

IF risk is High or Medium AND maturity is Managed or higher, THEN Detect and respond in time to mitigate potentially serious negative consequences.
OTHERWISE IF risk is Medium AND maturity is Defined or higher, THEN Detect and respond as slowly as possible without knowingly causing a great deal of harm.
OTHERWISE IF risk is Medium THEN Detect things that have obvious impacts and respond to them based on available resources and business impact.
OTHERWISE Detect and respond as fast as possible.

Indicate maximum notification (Notice), response (Resp) and mitigation (Mit) times defined and implemented for identified situations [event sequences, incidents, breaches, intelligence] (i.e., events), or [weaknesses or vulnerabilities] (weakness), associated with with high / medium consequences. (copy the consequence table and identify response/mitigation times) Use the table below as/if applicable. For clarity, these are the times between the first knowledge within the organization of information reasonably leading to identification of the situation and; (1) notification of applicable parties, (2) the initiation of response (Resp) specifically to the situation (3) completion of the mitigation effort associated with the situation.

Situation Notice Resp (med) Mit (med) Resp (high) Mit (high)
Intelligence information that may or may not apply to your situation. - - - - -
Adverse intelligence information known or reasonably believed to apply to your situation. - - - - -
Known weakness. - - - - -
Detected event not yet characterized. - - - - -
Detected event resulting in denial of [use / access / services] to [customers / users / others]. - - - - -
Potential [taking / loss / corruption] of [sensitive / identifying] [customer, worker, or market data]. - - - - -
Potential [taking / loss / corruption] of sensitive credit card or credit-related data - - - - -
Potential [taking / loss / corruption] of sensitive personal health information. - - - - -
Potential [taking / loss / corruption] of [confidential / proprietary] personal financial information. - - - - -
Potential [taking / loss / corruption] of confidential / proprietary enterprise financial information. - - - - -
Potential [taking /loss / corruption] of intellectual property like patent background and design data or Trade Secrets. - - - - -
Event with substantial loss of business or harm to brand if uncontrolled. - - - - -
Event that interferes with contracts or upsets customers if uncontrolled. - - - - -
[Event / weakness] of medical treatment, dose, or device controls. - - - - -
Manufacturing processes control [event / weakness]. - - - - -
[Event / weakness] of decision support for matters of life and death. - - - - -
Sensitive data aggregated in volume risky to major customers. - - - - -
[Event / weakness] with major political or environmental implications. - - - - -
[Event / weakness] with supervisory control and data acquisition (SCADA) or related infrastructure systems. - - - - -
[Event / weakness] with legally protected confidential medical, privacy, or other data. - - - - -
[Event / weakness] with [content/ people] related to protective orders. - - - - -
[Event / weakness] with content on legal hold pending disposition. - - - - -
[Event / weakness] with / indicating content reasonably anticipated subject of a law suit. - - - - -
[Event / weakness] effecting content with legally mandated retention or disposition times. - - - - -
[Event / weakness] subject to industry-specific regulations. - - - - -
[Event / weakness] subject to contractually mandated controls. - - - - -
[Event / weakness] related to standards required for treatment. - - - - -
[Event / weakness] related to contractual limitations on [use / sharing / disposition]. - - - - -
[Event / weakness] related to [contract performance data / statements of work / contractual mechanisms]. - - - - -
[Event / weakness] related to content relevant to a law suit. - - - - -
[Event / weakness] related to government classified or restricted data. - - - - -
[Event / weakness] related to [content / systems] owned by a government. - - - - -
[Event / weakness] related to things controlled with regard to [import / export]. - - - - -
[Event / weakness] related to things controlled with regard to transport. - - - - -
[Event / weakness] related to things controlled with regard to some other requirement. - - - - -
[Event / weakness] related to things required by government for reporting purposes. - - - - -
[Event / weakness] related to requirements for tracking controlled [substances / devices / artifacts]. - - - - -
[Event / weakness] related to Local, State, or Federal identification numbers or information (e.g., SSN, drivers licenses) . - - - - -
[Event / weakness] related to credit card information. - - - - -
[Event / weakness] related to biometric data. - - - - -
[Event / weakness] related to financial account information. - - - - -
[Event / weakness] related to medical or healthcare information (test results, fees, providers, etc.) - - - - -
[Event / weakness] related to consumer habits and patterns. - - - - -
[Event / weakness] related to financial information about people or enterprises. - - - - -
[Event / weakness] related to associations between people or groups. - - - - -
[Event / weakness] related to [legal / historical] documents presumed trustworthy - - - - -
[Event / weakness] related to metadata associated with stored content - - - - -
[Event / weakness] related to mechanisms used to link content to metadata - - - - -
[Event / weakness] related to operational information used to support business functions - - - - -
[Event / weakness] related to provenance information associated with content - - - - -
[Event / weakness] related to information used to assert integrity of other content - - - - -
[Event / weakness] related to information used to determine proper accessibility - - - - -
[Event / weakness] related to archived data in authoritative repositories - - - - -
[Event / weakness] related to planning information - - - - -
[Event / weakness] related to mechanisms supporting use of obsolete content forms - - - - -
[Event / weakness] related to chain of preservation or custody data - - - - -
[Event / weakness] related to information provided for transparency - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
Maximum Response and Mitigation Times for Identified Situations

Basis:

Detect and respond in time to mitigate potentially serious negative consequences.
This is an idealized triage approach, but it is hard to do. In order to mitigate event sequences with potentially serious negative consequences through timely detection and response, you must first understand the event sequences and their consequences. This analysis requires business modeling, comprehensive risk management, and a wide arrange of other capabilities. As an example, the requirements of Sarbanes Oxley regulations mandate that certain enterprises take risk management more seriously in order to present realistic risk information to potential and current shareholders. If this process is used wisely, it can greatly facilitate the internal decisions about what event sequences are of such consequence as to warrant timely detection and response. From there the time frames required for risk mitigation and the resulting techniques to be applied should become apparent. Because of the time and effort required for this level of understanding and design, it is appropriate only to situations in which adequate consequences are present to justify the cost of being careful in the defense. Thus its applicability for medium and high risk situations.

Detect and respond as slowly as possible without knowingly causing a great deal of harm.
While going slowly has advantages in terms of costs, it has the major disadvantage that large losses can happen quickly. Slow response can turn minor incidents into catastrophic failures. Large businesses have failed in one-time incidents that required rapid reaction but got only a slow reaction. The key to this approach is understanding enough to make reasonable and prudent decisions about how slow is still fast enough. This requires substantial analysis.

Detect things that have obvious impacts and respond to them based on available resources and business impact.
This is a straight forward triage approach in which whatever detection / intelligence process is in place is used and business impact assessment and available resources are balanced, typically by executive decision-making. It runs the risk of any relatively ill-defined decision process, but if the management is effective at doing its jobs and risks are not too high, this approach can work well. It is also reasonably well suited to enterprises that handle a lot of incidents with 24x7 internal staff but who don't have any very high risk levels that require a more optimized approach.

Detect and respond as fast as possible.
For enterprises who are not prepared well in advance, there is little choice but to treat everything as an emergency because there is no way to really know what is and is not how important. This is likely to be very expensive except for the lowest risk organizations who notice very few attacks.

Maximum response and mitigation times. Time is a key issue in incident handling. For enterprises that have well-defined approaches, time limits should be identified with and/or identifiable and tracked/measured with regard to responses (first acts to mitigate) and mitigation (termination of the undesirable condition) in cases where consequences are medium or high. Ideally, such times represent planning based on business consequences and are controlled by work flow systems and related mechanisms that prioritize actions and assign duties and resources.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved