Incident Response and Big Data: A Federal Quick Reaction Force

June 15, 2013
| |
3 min read

Okay, so being a retired Army Officer, I try to relate issues around technology to other former military members in Cyber Security in terms we understand.   Interestingly, I find that even those who were not in the military easily relate to the analogies, so lets give this a whirl.

Quick Reaction Force

You are moving a large segment of supplies to a forward base.  En route you are attacked.  You immediately react and protect your supplies.  Since the attack seems to be coming from all directions, you seek information that portrays the level of attacker strength, its true direction, and intent of the attack to discover feints and diversions.

You seem to be on the verge of being overrun.  You ask for the quick reaction force to come to your assistance, defeat the attackers, and assist in recovery of the scattered supplies while also reinforcing your defensive measures.

We all have seen this played out in various scenarios, whether from a first person ‘been there’ perspective, or from numerous depictions in books, TV shows, and/or movies.  But have you noticed that this is a scenario that fits within cyber space domain? Only, the quick reaction force is named an ‘incident response team’.

Both the initial defender and the incident responders fight through the attack and re-establish the ‘defensive lines’.  Normally, it is the incident responder who goes through the plethora of data sets (or, in the physical world, collected intelligence information from multitudes of sources) to ascertain the who, how and what-were-they-after questions.  Was it a feint, or was it a direct or indirect attack to achieve a strategic goal, be it intellectual property, money or data?

So the elements are essentially the same in coming to some conclusion about the attack.  The main difference is how the attack was perpetrated and the responders’ accumulation of information regarding the intrusion.

Big Data Security Analytics

In today’s networked environment, this historical analysis is brought about through big data security analytics.  The time frame of the attack starts with the attacker’s reconnaissance of your positions through your adjustment of the new and improved defenses, sometimes extending from multiple months to years.  But for security data analytics to be effective, they need to be part of our security architecture.

We need that quick reaction force to be immediate.  Not relegated to doing historical reviews long after the events have happened.  I mean, I like history and all, but the key overcoming a large-scale attack is in making it part of your quick reaction force.  This is your tactical and operationally focused response.

So when we are talking about large sets of data over an extended period, we are then focusing on the Strategic set of data. This is the long-term and intelligence focused research, focusing on the intent and the type of group attacking.

Hence, I would suggest that there are two sets of defenders for the cyber domain, just as you would see in the physical example above: one focused on current and on-going defensive operations and one investigating incident events over time for long-term campaigns.  But while these two defender sets are looking at essentially the same data, the time frame of reference and the correlation of data are by definition different due to their focus.

All organizations are concerned about the tactical/operational attacks, as they are compromising and stealing from our organizations. We must do this level of analysis and tie it into our response.

From Reactive to Proactive Defense

Some would ask, why then do I care about the past data?  Well, you are probably going to repeat the problem in a similar situation; After all, if the attacker was successful the first time, why change something that is not broken from his perspective?

You are now presented with a question of how to prevent and deter the next attack using this same ‘avenue of approach’. This historical data review allows the incident response team to correlate network events as part of a particular incident or string the events to fully understand the attack profile. It is the variety and volume of data that makes the analysis challenging, yet fruitful for future defenses, not to mention forensic analysis for the all important damage assessment.

The massive volume of data available in today’s networks presents both a challenge and opportunity. If you can tame the big data at your disposal, it can be instrumental in your quick reaction force.  Many times attackers will refrain (and in some form are deterred) from attacking due to the initial and follow-on responses of your Quick Reaction Force and its ability to counter an attack while discovering the attacker’s true intentions.

This is where we move from a reactive defense — waiting for something to happen — to a proactive defense that deters strikes from happening in the first place.

Peter Allor
Federal Security Strategist, IBM Security

Peter Allor is a Security Strategist on cyber incident & vulnerability handling, where he assists in guiding the company’s overall security initiatives...
read more