Incident Response: The Times They Are A Changin'

Last updated at Mon, 28 Oct 2019 17:16:13 GMT

While everyone in the security world is seemingly at RSA Conference, my mind has been searching through the past. It actually started a few weeks ago, when Gartner's Anton Chuvakin asked for examples of how today's Incident Detection & Response (IDR) is different from 2005. My short comment to his post started to explore the topic of change over the past decade of IR, but I kept thinking about it more and it struck me that there was much more to discuss. The fact is, most security programs are still stuck in 2005 and that many people outside of the industry still think about threats as if it was 2005! In order to start getting away from IDR of the last decade, we must first examine differences in the threat landscape.

Landscape: Threats in 2005 vs. 2016

Threats really haven't evolved all that much, that's not much of a surprise. Attackers are still motivated by financial gain and destructive actions. They target organizations or people who have data that can be sold and organizations with views contrary to theirs. The big difference between 2005 and 2016 is the volume of breaches and amount of stolen data.

Landscape: Data in 2005 vs. 2016

The changes that catapulted the evolution of threats and the volume of breaches is the amount of data and its value. In 2005, there was a lot of sensitive data in computers, but nothing like what we see now. Further, in 2005, the black market primarily demanded financial data, but today intellectual property, health data, personal information, and computing resources can generate significant income for attackers.

Landscape: Computers in 2005 vs. 2016

The last aspect of the changing threat landscape is the attack surface itself; the computing devices. We've exponentially increased the number of connected devices and computing power since 2005. Creating malware has become easier, vulnerability data is open source, and testing against common threat prevention and detection technology is offered as a public service.

In the 2nd part of this post, which I'll post tomorrow, I'll explore how this changing threat landscape has evolved IDR practices.