214 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Known problems and known errors are resolved according to procedure. e
Help Desk proles previously unencountered problems and escalates them to
the appropriate second tier groups according to operating system, software applica-
tion, hardware, or service. Second tier investigation and diagnosis may result in
resolution or in escalating it to more experienced, specialized support personnel
in Tier 3 support, or even in engaging vendor support.
e primary objective of incident management is to restore normal operations
expediently. Treating the symptom may result in temporary resolution and recovery
of aected equipment or software. However, before the incident can be closed, a root
cause analysis (RCA) should be performed to be sure that the real problem is identi-
ed and resolved. Otherwise, the problem will repeat itself. A repeat of known errors
implies a need to review what triggered the known cause. A repeat of a known prob-
lem should result in escalating the incident details to those investigating the root
cause. e investigation group may be internal to the enterprise or external (e.g.,
software vendor). Note: Verify that management and legal review and approve any
information about a security incident prior to sharing it outside the organization.
A user request for a new service (e.g., new software application) is a request
for change to the Help Desk; such requests are not security events. Likewise, nei-
ther is a request for a password reset a security event. However, tracking password
resets is appropriate to be aware of patterns of excessive requests that may not be
incidents in themselves, but clues of potential broader anomalous activity. Security
operations are in part formulaic, in that you can map out scenarios and response
activities to those scenarios, i.e., you expect actions, they happen, and you respond
accordingly. Security operations are also in part an art form. Like detectives, secu-
rity operations personnel follow procedure, but with awareness that procedure only
goes so far and there are times to deviate in response to unexpected threat activity.
Monitor
Monitor the enterprise for anomalies. Not all anomalies are events; some anomalies
are just unexplained or misunderstood. An anomaly becomes an event after eorts
to explain or understand have failed. An event becomes an incident when danger of
loss to the enterprise (i.e., violation of one or more of the core security principles) is
evident. An incident becomes an attack when you discover intelligence and intent
behind the incident.
Monitoring includes the following:
◾ Audit log analysis
◾ Audit log aggregation
◾ IDS (network IDS [NIDS], host IDS [HIDS])
◾ Content ltering
◾ Firewalls
Overseeing Compliance of Security Operations ◾ 215
© 2011 by Taylor & Francis Group, LLC
◾ Anomalous network activity
− Atypical bandwidth utilization, server activity, printing habits (e.g., o-
site printing), e-mail attachments, spam/phish/spyware/root kit activity
◾ Network management
− Simple network management protocol (SNMP): HP OpenView and
CiscoWorks
◾ Guards
◾ Employee observations
◾ Etc.
You monitor each of the above separately as well as in aggregation. A probe
on a network for open FTP ports may in and of itself be cause for concern,
but may not raise the critical alert ag. However, given that there are also spear
phishing attacks targeted at R&D personnel and a series of social engineering
phone calls to these same R&D personnel attempting to elicit user identica-
tions and passwords, and on second review the network probes were all focused
on R&D servers, now you have an aggregate picture that looks like an attack on
the enterprise.
Detect
To detect means to discover the presence of; this includes the presence of threats,
vulnerabilities, anomalies, events, incidents, and attacks. Not all events are inci-
dents, but all incidents start as events. Detecting threats and vulnerabilities
engages the use of outside services such as Security Tracker, Symantec Deepsight
reat Management System, and SANS Institute. e MITRE Corporation has a
Common Vulnerabilities and Exposure (CVE) Web site that provides a standard
for information security vulnerability names. Internal scanning and risk assessment
provide a snapshot of current security posture across people, process, technology,
and environment. Event detection occurs from log review, Help Desk reports, and
monitoring network and server activity in real time. Incident detection occurs from
analyzing events and determining that they are truly a security threat to the enter-
prise. Detection occurs both proactively and reactively.
Proactive Detection—Proactive detection is the function of dedicated sta to
monitor and identify events and incidents. is monitoring may include real-time
situational awareness (versus the after-the-fact reporting in reactive detection). Real-
time situational awareness will look at host log les, network trac, bandwidth
utilization (load analysis), the active presence of key assets on the network, rewall
logs, and IDS logs.
Network and system management software provides proactive, real-time moni-
toring and detection. A centralized software management application commun-
216 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
icates with distributed software agents to check the active presence of the agent
and to receive information from the agent about the system on which it resides.
Examples of network and system management software include HP OpenView
and CiscoWorks. e simple network management protocol (SNMP) is a common
protocol to support network and system management.
Reactive Detection—Event information is reported via internal users, security
experts from external services, and internal monitoring of operations. Internal
reporting requires a supporting infrastructure (i.e., Help Desk) that may include
toll-free numbers, ticketing systems, training of Help Desk agents, and awareness
of all employees to be on the alert for anomalous activity. Subscriptions to external
services will provide access to security expert opinions and alerts of new malware
and vulnerabilities. Internal monitoring reports may come from intrusion detection
systems (IDSs) and variations like network intrusion detection systems (NIDS)
and host intrusion detection systems (HIDS). Internal monitoring may also include
security scans to ensure minimal password strength, the appropriate naming of
administrative accounts, and the presence of illegal or harmful software.
Initial Detection—Initial detection is the most dicult because you are looking
for something but with no knowledge of exactly what it is. e potential for human
error is a challenge for initial detection as mistakes in congurations or improper
patching may introduce unforeseen vulnerabilities. e detection safeguards assist
in detecting known threats (e.g., malware with known signatures); however, the
most dangerous malware is a zero day exploit.
A zero day threat or attack tries to exploit unknown or undisclosed vulnerabili-
ties. A zero day exploit is usually unknown to the public and may be unknown to
the vendor. e zero day exploit may make its way through the Internet (through
the wild) prior to the vendor patch release; it exploits the vulnerability window
between vulnerability detection and capability to mitigate the vulnerability.
Improving Initial Detection—Methods to improve initial detection include the
following:
◾ Improve security sta expertise
◾ Policies and procedures
◾ Multiple types of products
◾ Quality control
◾ Enterprise Awareness and Training
Security is a dynamic environment, especially cyber security. Keep security sta
trained on the latest exploits. Understanding the exploit capabilities and the vul-
nerabilities they seek improves the likelihood of initial detection. A separation of
Overseeing Compliance of Security Operations ◾ 217
© 2011 by Taylor & Francis Group, LLC
duties policy helps ensure the maintenance of internal controls. Separation of duties
acts as a check and balance against one person having too much security adminis-
tration ability and forces insider attacks to be collaborative eorts between multiple
people. While collaboration does happen, it is less common than a single individual
acting alone is. Use multiple types of products as part of a defense-in-breadth pos-
ture, e.g., one vendor’s virus signature les may be dierent from another’s and
when used together provide an increase in overall anti-malware capabilities.
Quality control mitigates the potential for human error via quality control of
patches, updates, and the ability to introduce executable code from outside the
enterprise (e.g., Internet download). Enterprise awareness and training should
include a discussion of what looks dierent? We have a new generation raised on
popular television’s one of these things is not like the others … one of these things just
doesn’t belong. We can extend this concept and awareness to enterprise operations
to improve initial detection.
Notify
Now that the monitoring capabilities are in place and detection occurs, establish a
formal process for notication. Formal notication is likely to start with the Help
Desk or the security operations center monitoring NIDS, HIDS, rewalls, audit
logs, and general situational awareness. Log and track all notications. e Help
Desk may have a trouble ticket system. e security operating center (SOC) may
also use the ticketing system to record occurrences and triage details to determine
either treatment or escalation.
Triage
Triage is an activity that examines the current situation and prioritizes competing
activities requiring attention. Medical triage takes the most critical patients rst,
e.g., a head injury is more critical than a forearm injury. Eective incident tri-
age requires knowledge of business implications … of mission implications. is
requires the mapping of people, process, technology, and environment to operations
and the mapping of operations to the enterprise mission. If you are going to give pri-
ority to one of a series of simultaneous incidents, the only way to make an intelligent
choice is to understand the implications of all incidents to the enterprise mission.
Triage is a sort and stream activity. Sorting involves identication and clas-
sication according to mission impact. Streaming is getting the right resources
assigned to the incident in a timely manner. e identication step of triage deter-
mines the nature of the incident, and classication determines the magnitude of
the incident in terms of business impact. Both directly aect how you respond to
the incident.
218 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Identication may mean hands-on exploration of the aected system. Remember
the rules of evidence and preserve the chain of custody in the event that the details
are necessary for prosecution. Coordinate the eorts of all team members dur-
ing identication to communicate both within and without the organization.
Coordinate all external communication with the Corporate Communications
Oce or your equivalent. Also, remember to communicate to the system owners
and those dependent upon the system to perform their jobs. Managing expecta-
tions is critical for them to make hard decisions in fullling their own responsibil-
ities to the enterprise.
You may classify incidents in any number of ways. One way is to use the nine
core security principles: condentiality, integrity, possession, nonrepudiation, etc.
Another may be to reect the nature of the incident like unauthorized access or
malware. Yet another way may be to reect the threat type like denial of service,
man in the middle, or social engineering. All of these have some meaning to secu-
rity operations, but little meaning in other departments. One triage classication
method that has business meaning is as follows:
◾ Catastrophic
◾ Critical
◾ Urgent
◾ Minor
A catastrophic incident is when the result is or will negatively impact the fun-
damental function of the enterprise or the existence of the enterprise. A critical
incident is when the result is or will negatively impact a key business function or
violates a core value of the business. An urgent incident is when the result is or will
negatively impact some non-key business function. A minor incident requires atten-
tion, but does not imminently threaten enterprise functionality. e classication
system you choose should have meaning to your enterprise and be understandable
across the IT, security, and business areas of your business, including executives.
Incident response policies may then reect necessary actions according to inci-
dent criticality. For example, the discovery and treatment of a catastrophic incident
may require notications that include the CEO, Board of Directors, and other
executives and prompt hourly reporting until the incident is resolved.
Escalate
Escalation is the assignment of accountability to a more knowledgeable group or indi-
vidual, i.e., engaging the appropriate expertise. e Help Desk may be able to treat
many known, repetitive incidents. Alternatively, the Help Desk may need to escalate
the incident details to subject matter experts (SMEs). Prepare escalation procedures
and assign SMEs for various incident areas that include virus, root kits, physical
intruder, etc.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.