Understanding the Process and Ownership for Threat Response
The scope of managed security service provider (MSSP) roles and responsibilities in the area of threat response is often misinterpreted in terms of the process and ownership. One of the most important elements of a successful security partnership relates to how an organization and the MSSP coordinate event and incident response activities.
It is important to note that while the MSSP should be able to provide information and guidance regarding impact analysis and responding to threats, it is typically the organization’s responsibility to own the final determination of potential impact and the threat response actions needed. Organizations are advised to clearly understand the who and how of handling client-side activities for impact analysis and threat response.
A typical MSSP will use its monitoring and automated intelligence capabilities to identify potentially serious security events. If such an event is discovered, the MSSP will escalate it to the organization’s security contacts along with countermeasure recommendations. The security analysts are typically responsible for the initial review of an escalated event to confirm whether it poses a threat. If warranted, the security analyst invokes the appropriate threat response process according to internal policies.
Threat response generally includes active collaboration between an MSSP and the organization security analysts for impact analysis and investigation. A remediation plan, if needed, must be created with the appropriate actions being communicated to their owners. If device policy changes are needed, analysts should be prepared to work with the MSSP to have the changes defined, approved and implemented. If appropriate, your computer security incident response plan (CSIRP) would be evoked.
Tailored Security Information Analysis for a Threat Response
If needed to supplement your capability for researching and responding to security incident tickets, some MSSPs provide optional named security intelligence analyst (SIA) resources. Often, this type of resource can be considered an “add-on” element of the scope of contract.
SIA resources can also help provide custom threat analysis and handle threat intelligence and event analysis. Most organizations will want to evaluate their needs in their area based on internal staff/skills and availability of security analysis bandwidth. The lack of a unified incident management process, coupled with inexperienced staff, can increase the business impact of security incidents.
If you have strong security analysis skills and are able to engage the MSSP-provided analysis tools, a named MSSP resource in this area may not be necessary. However, if you are short on necessary security analysis staff or skills, you may benefit from having a named resource focused on security intelligence for your organization.
Incident Response Plan
An organization’s incident response plan is the foundation for all incident response and recovery activities. You own the plan; the MSSP does not. Consequently, regular gap assessments and benchmarking exercises are needed to help ensure the soundness of your organization’s incident response program.
Cyberstress testing through scenario-based exercises is especially useful. It can help organizations understand the consequences of various events and actions and how to be better prepared to address such circumstances. Stress testing also validates incident response processes and overall plan execution and assesses an organization’s readiness to respond to a serious security incident.
Your organization’s CSIRP should specify how incidents should be handled. The incident-handling checklist, published by the National Institute of Standards and Technology (NIST), outlines which activities should be covered in the CSIRP.
NIST has proposed a straightforward forensic process model that consists of four steps: collection, examination, analysis and reporting. This model describes a general process for extracting data from various media and performing analysis to draw the essential information that can serve as evidence from the data. It is important to note that there are several models that have been designed to define the forensic process. While most models are similar in terms of basic principles, organizations should adopt the model that most closely aligns with their operational and business needs.
It is advisable to consider third-party services to review, design and/or test your CSIRP. Ask your MSSP which consulting services it can offer in these areas.
Your security operations programs depend on effective threat response preparation and the ability to execute threat response. Although the MSSP is a contributor in your threat response capabilities, organizations must be aware that many elements of a threat response plan lie beyond the MSSP scope, with much of it driven by clients.
As a cornerstone of your defense against malicious hackers, malware, human error and a host of other threats, a CSIRP is the map that guides your response to a successful attack. It should define the roles and responsibilities of all respondents, establish authority for making major decisions and define communication flows and notification procedures. Without a CSIRP, your incident response team can waste invaluable time and resources figuring out what to do, leading to potentially higher costs and greater damage to your organization and your reputation.
This article is part 2 of a four-part article series. This article series discusses how to maximize the value you receive from your MSSP relationship. Parts 3 and 4 will highlight additional key focus areas necessary to maximize value in the MSSP relationship.