An organization’s strategic relationships are a key factor in establishing stronger security expertise. In the event of a computer security incident, they constitute an important factor in its resolution. In addition to providing security controls, these experts may also be the principal source for obtaining essential artifacts for investigating an incident.
In today’s information-driven economy, organizations rely on service providers to fulfill a multitude of responsibilities and operational tasks. Whether it is hosting websites, managing payroll, conducting penetration tests, performing digital forensics or providing shipping logistics to get a commodity to market, almost any function within an organization necessitating information technology can be supported by a third-party provider.
Choosing the Right Approach for Incident Response
The reasons an organization may decide to engage a provider in lieu of performing the task in-house are varied. In some cases, a third party simply offers a more cost-effective and secure option to the alternative of ensuring all skills and IT systems are available and managed internally. Very often an organization may lack more specialized skills in a particular area, and contracting out to a third party constitutes the best possible solution.
Regardless of what is contracted from a third-party provider or why, the decision presents an organization with some additional considerations when thinking about how to increase the security of its entire IT environment. This is only natural, given that the provider’s interaction with an organization’s data may be quite extensive: It could range from access to employee or customer names, addresses and other identifying information to more IT focused data such as remote login usernames, passwords and encryption keys.
Reported breaches at two large retailers resulted in two of the largest data compromises in recent times. These breaches involved tactics that targeted some third-party managed systems, including successful phishing attempts and stolen credentials. Irrespective of the exact circumstances of each attack, the tactics used indicate a number of potential risks and the need for organizations to adequately address some often overlooked areas of security in their provider relationships.
Strengthening the Relationship With Providers
By working with providers to address these issues upfront, you will be able to optimize your incident response capability when time is most critical. The following are key areas that, if improved upon, can strengthen your information security, minimize potential new risks and establish a strategic relationship where a mutual concern for security is paramount.
1. Timely Notification of Security Incidents
Expediently alerting the organization that the network maintained by the provider has potentially suffered a data compromise is crucial.
Postponing notification rarely, if ever, stems from ill intentions; rather, providers may want to carry out a full investigation of the security incident to gather as many facts as possible before informing the client. Nevertheless, this may cause unintentional delays in the response and result, for example, in the automatic overwriting of valuable artifacts such as logs. This can negatively impact incident response and time to a speedy resolution of the problem.
In addition, many organizations handling certain types of data may also be bound by regulatory considerations such as the PCI Council or national and local laws that prescribe a set time frame within which specific notifications must be made. Organizations should highlight the importance of timely notifications through various means and agreements with their provider. In this way, misunderstandings can be reduced.
2. Minimize Commingling of Data From Different Clients
When an incident response team is engaged in an investigation, a litany of requests for different data quickly follows, from disk images and RAM to system and network logs and more. These artifacts are required to understand the extent of the damage and formulate an appropriate response plan.
Any incident response will doubtless face significant obstacles if a provider states that the artifacts contain data from its other clients. Due to contractual and privacy obligations, the provider may not be in a position to provide this data and may be forced to spend precious time filtering the artifacts before sending the data to the incident response team.
While it is ideally avoided, the mixing or commingling of data may not be preventable in all architectures. It is therefore advisable to have an appropriate level of understanding with the provider as to this possible risk.
3. Improve the Ability of Provider Staff to Assist in an Investigation
As noted previously, an incident response team has a need for certain artifacts at the onset of an investigation. Generally, these collection tasks do not require an extensive knowledge of computer security. IBM’s incident responders, for example, are specially equipped with methods and tools to facilitate work with remote staff who may not be security experts.
Nevertheless, quick and efficient collection of these artifacts does require an adequate level of IT skills on the part of the provider’s staff. The absence of skilled personnel at the provider site may hinder the ability to quickly receive the critical artifacts necessary to begin an investigation.
As a result, it is important to establish a professional relationship with well-trained personnel who can retrieve needed artifacts and have a clear understanding of their information security roles. This may also be bolstered by requesting that basic incident response training for certain key employees be carried out.
4. Improve Incident Preparedness Testing
In its many years of experience responding to incidents, reviewing and crafting incident response plans and performing mock incident tabletops and testing exercises, IBM Emergency Response Services (ERS) noted that many organizations do not incorporate the testing of a provider’s ability to fulfill its incident preparedness role into their overall incident response process.
What would normally take days may take weeks if the provider’s role in the larger context of the incident response process is not tried, tested and rehearsed. The provider’s own processes will play a significant role in determining its ability to contribute to the overall incident response. By performing periodic proactive tests of systems and procedures, including those of providers, organizations can better identify improvements and request applicable changes be made by providers for the area they are supporting. This will prevent delays in the event of an incident and enhance the partnership.
Numerous options exist for technical and procedural testing such as penetration tests, threat assessments, risk assessments, mock incidents and tabletops. The IBM ERS team conducts or can participate in exercises to test the ability of an organization’s providers to respond to an incident.
5. Conduct Appropriate Reviews of Provider Security Environments
Another way to strengthen the security relationship is to conduct reasonable and timely reviews of, and maintain adequate access to, provider systems that support operations and security. Maintaining an appropriate, mutually agreed-upon level of visibility into those operations that directly affect the organization’s information security position is highly recommended.
While organizations may be very detailed when contractually defining the security specifications they require, many are less specific when it comes to agreements for reviewing and monitoring compliance with those controls. This can be achieved by allowing for sufficient reviews of supplier services and security activities.
It is unreasonable to specify contractually the right to access or audit a provider’s entire environment. The provider, for its own legitimate security needs, may not be willing to provide direct access or full audit rights. However, it is advisable to have an agreement that addresses access and audit rights for verifying adherence to information security protocols and incident preparedness specifications.
A complete lack of understanding in this area can become cumbersome when there is an urgent need — such as in security incidents — to gain information from a provider’s environment. Precious time may be lost since permission must be granted for any incident response team to begin its investigation. To the extent allowable, agreements should exist between the organization and providers relating to security reviews and access rights to areas that affect incident response.
6. Appropriate Maintenance of Event and System Logs
As the source of much of the information that could potentially be needed during the response to an incident or in a digital forensics examination, event log generation, review, protection and storage by third-party providers should be a priority. A provider should be able to meet these needs, and there should be clear expectations as to the types of logs kept and the required time to retain those logs.
In one particularly egregious case, IBM ERS discovered that a client’s Internet service provider had been keeping logs for only 24 hours. Such a practice seriously inhibits incident response effectiveness and makes it very difficult to conduct any meaningful investigation.
On the other hand, ensuring proper agreements with your providers as to event and system logs can result in uncovering a piece of evidence that makes for the successful conclusion of an incident. In such cases, the provider truly fulfills its strategic role as an integral part an organization’s security.
Your Service Provider Is an Asset for Incident Response
Service providers are clearly an asset for delivering critical expertise to help an organization carry out its mission and business requirements. This applies to security, as well.
Appropriately addressing these key areas of security in the provider relationship will greatly improve your organization’s response to a security incident. Conversely, not mitigating them can potentially slow the response to an incident.
A balanced approach that includes well-defined service-level agreements outlining appropriate expectations of providers, effective incident response testing, adequate technical assessments and supplier reviews can help ensure a productive, strategic partnership that improves your organization’s overall security posture.
Interested in emerging security threats? Read the latest IBM X-Force Research
Incident Response Analyst, IBM
At IBM Jonathan has been actively involved in end-to-end incident response, including forensic support and analysis on client engagements. His work has also ...