Focus on forensics looks like an early trend for 2010

A recent article in Washington Technology cites findings in forensic investigations by the Verizon Business Risk team to highlight the difficulty many organizations have in identifying — much less responding to — security intrusions and data breaches. It seems that while plenty of companies have appropriate tools and security measures in place to collect data that would, if analyzed thoroughly, provide evidence of incidents occurring, too little of that data is actually scrutinized until well after the events begin. Verizon’s forensic investigators more often than not find such evidence within the event logs maintained by the companies who call them in to investigate. The failure to achieve or maintain situational awareness in the face of increasingly common attacks can be attributed to multiple factors, including technical and analytic complexity, but all the industry experts quoted in the article point to insufficient focus on enforcement and awareness in security management. The all-too-common situation where technical or functional means of enforcement are lacking, even with appropriate security policies in place, is a recurring theme, and one we addressed a couple of months ago in the context of guarding against internal threats. The rise in interest in and use of security incident and event management (SIEM) provides some evidence that enterprises are becoming more aware of what they’re up against in terms of cyber threats, but the utility of these controls is tied directly to the level of organizational commitment to put the commensurate security practices in place, and to invest in (human) security analysts and not just in tools.

With a bit of a different take on the same sort of problem, in another article published by Washington Technology this week, Sentek Consulting founder Erik Basu suggests that the emphasis on attack attribution by some government security programs is a position more private sector entities should seek to emulate. Federal agencies have several reasons for pursuing this type of forensic investigation, from the simple attempt to gain a better understanding of how vulnerabilities are exploited and how similar incursions might be prevented in the future, to the political, practical, and diplomatic considerations that constrain potential responses, including retaliatory actions. In general, government agencies also seem less reluctant to disclose cybersecurity incidents, both within the government community (as required under OMB guidelines) and in public. The fact that Google actually went public with the details of the attacks against it in China is in some ways more notable than the specifics of the attacks themselves. The government doesn’t face the same competitive drivers that commercial enterprises do, but Google’s disclosure is leading some companies and lots of security analysts to suggest that the benefits of greater disclosure may outweigh any potential negative impact.