Thursday, August 31, 2006

IR Tools review

I took a look at IR tools recently, and today ran across an SC Magazine review of forensic tools...as it turns out, the review is of IR tools. Overall, I wasn't surprised to see ProDiscoverIR rated as highly as it was...it's an excellent tool/toolkit, and for the price it can't be beat. However, while the article did look at some of the basic capabilities, such as information collection, things such ProDiscover's use of Perl for scripting wasn't addressed.

One thing that got me about the article, though, was something that was said at the beginning of the first paragraph, and then repeated at the beginning of the third paragraph:

Managing security incidents is essentially a problem of forensics.

...and...

Essentially, incident management is a forensic problem.

I can't say that I agree with this. My philosophy has always been that forensic analysis is part of an overall incident response capability, and that incident management is a security management problem.

Within most organizations, there are...people. Okay, a little simple, I know...but the point is that when an incident happens, the response isn't only about forensics. Depending upon the situation, you may have Legal, HR, and other departments involved. Many security incidents have a business impact, as well...compromises of critical servers, malware infections, etc., will at some point be addressed from the perspective of "how does this affect our business?"

Yes, you will need to perform forensics or incident analysis at some point, in order to determine the nature and extent of the issue. In fact, performing an analysis, lumping "forensics" and "incident response" together into "root cause analysis", is absolutely necessary. I can't say it often enough...too many times folks will make assumptions or SWAGs (see the second definition) about the issue, take the system offline, blow the base operating system away and reload it and the data from clean media. Why, then, are we so shocked when the system is p0wned all over again?

The problem with incident response (and IT security, in general) today is that security incidents that lead to IR/forensic activities and analysis are not being viewed as security management issues. Instead, they're being viewed as technical issues best addressed by IT folks...the same folks who are undertrained, understaffed, underpaid, and overworked. Management cannot wash their hands of a security incident by putting it on the shoulders of IT, after that same management infrastructure has made it a priority to do pretty much everything other than prepare for such issues.

In truth, incident management is a security management problem, and security management is a business issue.

No comments: