Analysis and Response
Analysis and ResponseAnalysis and Response
The analysis and response to activity and condition monitoring is performed differently in financial institutions of different size and complexity. Smaller and less complex institutions may assign operational personnel to the analysis and response function. Larger and more complex institutions may maintain a security response center that receives and analyzes the data flows as activity occurs. Additionally, institutions of all sizes may outsource various aspects of the analysis and response function, such as activity monitoring. Outsourcing does not relieve the institution of the responsibility for ensuring that control failures are identified before a security incident occurs, an intrusion or other security incident is detected in sufficient time to enable an effective and timely response, and post-event forensics activities are supported.
Security Incidents Security Incidents Security IncidentsSecurity Incidents
An internal security response center serves as a central location for the analysis and investigation of potential security incidents. To serve in that role, the security response center should consider, evaluate, and respond to both external threats and internal vulnerabilities. Sources of external threat information include industry information sharing and analysis centers (ISACs), Infraguard, mailing lists, and commercial reporting services. Internal vulnerability information is available from condition reporting and activity monitoring. Security response centers should be able to access all relevant internal vulnerability information in a read-only manner. That data may reside in centralized log repositories, on the devices that perform the logging, and in results of self-assessments and independent tests. Security response centers also should have available tools to analyze the logs and to perform ad hoc activity monitoring. Other additional and useful data sources are reports of anomalies in both network and host performance and the end-user experience. The latter relates both to internal users as well as contractors and customers who use the institution's systems.
Because the identification of incidents requires monitoring and management, response centers frequently use SIM (security information management) tools to assist in the data collection, analysis, classification, and reporting of activities related to security incidents. The security response center should be governed by policies and procedures that address security incidents:
• Monitoring policies should enable adequate continual and ad-hoc monitoring of communications and the use of the results of monitoring in subsequent legal procedures. The responsibility and authority of security personnel and system administrators for monitoring should be established, and the tools used should be reviewed and approved by appropriate management with appropriate conditions for use.
• Classification policies should be sufficiently clear to enable timely classification of incidents into different levels of severity. Response and reporting levels should be commensurate with the severity levels.
• Escalation policies should address when different personnel within the organization will be contacted about the incident, and the responsibility those personnel have in incident analysis and response.
• Reporting policies should address internal and external reporting, including coordination with service providers and reporting to industry ISACs.
Additionally, a policy should address who is empowered to declare an incident to be an intrusion.
The effectiveness of a security incident response center also is a function of the training and expertise of the security analysts. A financial institution should ensure that its analysts are sufficiently trained to appropriately analyze network and host activity and to use the monitoring and analysis tools made available to them.
Intrusion Response Intrusion Response Intrusion ResponseIntrusion Response
The goal of intrusion response is to minimize damage to the institution and its customers through containment of the intrusion, the restoration of systems, and providing assistance to customers.
The response primarily involves people rather than technologies. The quality of intrusion response is a function of the institution's culture, policies and procedures, and training. Preparation determines the success of any intrusion response. This involves defining the policies and procedures that guide the response, assigning responsibilities to individuals, providing appropriate training, formalizing information flows, and selecting, installing, and understanding the tools used in the response effort. Key considerations that directly affect the institution's policies and procedures include the following:
• How to balance concerns regarding availability, confidentiality, and integrity for devices and data of different sensitivities. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. An institution may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left on line.
• When and under what circumstances to invoke the intrusion response activities, and how to ensure that the proper personnel are notified and available.
• How to control the frequently powerful intrusion identification and response tools. • When to involve outside experts and how to ensure the proper expertise will be
available when needed. This consideration addresses both the containment and the restoration strategy.
• When and under what circumstances to notify and involve regulators, customers, and law enforcement. This consideration drives certain monitoring decisions, decisions regarding evidence-gathering and preservation, and communications considerations.
• Which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisions within the organization.
• How and what to communicate outside the organization, whether to law enforcement, supervisory agencies, customers, service providers, potential victims, and others. This consideration drives the communication strategy and is a key component in mitigating reputation risk.
• How to document and maintain the evidence, decisions, and actions taken.
• What criteria must be met before compromised services, equipment, and software are returned to the network.
• How to learn from the intrusion and use those lessons to improve the institution's security.
• How and when to prepare and file a Suspicious Activities Report (SAR).
Successful implementation of any response policy and procedure requires the assignment of responsibilities and training. Some organizations formalize the response program with the creation of a computer security incident response team (CSIRT). The CSIRT is typically tasked with performing, coordinating, and supporting responses to security incidents. Due to the wide range of technical and nontechnical issues that are posed by an intrusion, typical CSIRT membership includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution. Those areas include management, legal, public relations, as well as information technology. Other organizations may outsource some of the CSIRT functions, such as forensic examinations. When CSIRT functions are outsourced, institutions should ensure that the service provider follows the institution's policies and maintains the confidentiality of data. Institutions should assess the adequacy of their preparations through testing.
While containment strategies between institutions can vary, they typically contain the following broad elements:
• Isolation of compromised systems, or enhanced monitoring of intruder activities; • Search for additional compromised systems;
• Collection and preservation of evidence; and
• Communication with effected parties, the primary regulator, and law enforcement.
Restoration strategies should address the following:
• Elimination of an intruder's means of access;
• Restoration of systems, programs and data to known good state;
• Filing of a SAR (guidelines for filing are included in individual agency guidance), and • Initiation of customer notification and assistance activities consistent with
interagency guidance.