tag:blogger.com,1999:blog-4080617372940068027.post760270975060328353..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Making Incident Response a Security Program EnablerCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-4080617372940068027.post-16049246870349948022016-05-25T15:28:20.917-04:002016-05-25T15:28:20.917-04:00@Corey Thanks for mentioning the book, I am sorry ...@Corey Thanks for mentioning the book, I am sorry I didn't see this until now and that the book did not meet your expectations. I would love to hear your feedback (via email is fine, as I know this topic is old) on how to make the book better for the next edition. I have read through several entries on your blog and really like what you have to say. allanhttps://www.blogger.com/profile/02927513261592031981noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-68293277031846340552015-05-23T13:37:47.658-04:002015-05-23T13:37:47.658-04:00@Edward,
That's a lot to include in a comment...@Edward,<br /><br />That's a lot to include in a comment. If you want contact at the email address on the About page and we can talk offline. I may do a post on this in the future.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-41942787982124304192015-05-21T12:02:32.707-04:002015-05-21T12:02:32.707-04:00Really interesting. If possible could you explain ...Really interesting. If possible could you explain in a little more detail the following. What is the format/method used to capture and store your VERIS schema based reports for each incident? How do you feed these reports into Tableau? Thanks.Edwardnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-11851039563470610082015-05-18T04:11:46.899-04:002015-05-18T04:11:46.899-04:00Brilliant post. I am in the process of doing SANS ...Brilliant post. I am in the process of doing SANS 501, 503, 504 and 560 and this is so well written, it is very easy to understand and digest. 504 exam today - what timing! ThanksPaul McCreethnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-59092275128648292762015-05-05T21:30:24.653-04:002015-05-05T21:30:24.653-04:00@Richard,
Thanks for leaving a comment and sharin...@Richard,<br /><br />Thanks for leaving a comment and sharing the INSA link. I wasn't aware about it and glad you pointed me to it because it was very interestingCorey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-72931567463626599832015-05-03T12:01:31.266-04:002015-05-03T12:01:31.266-04:00Thanks for citing my work!
Here is a brief commen...Thanks for citing my work!<br /><br />Here is a brief comment on the "levels of intelligence" --<br /><br />Most who learned about the topic from other domains (like SIGINT, etc.) use three levels: <br /><br />strategic, operational, and tactical, <br /><br />corresponding to the three levels of war found in US joint doctrine.<br /><br />For example, see the 2013 INSA Strategic Cyber Intelligence:<br /><br />http://www.insaonline.org/i/d/a/b/StrategicCyberWP.aspx<br /><br />For a UK example, see "Threat Intelligence: Collecting, Analysing, Evaluating."<br /><br />I am not as big a fan of the UK report (by MWR) because their descriptions of the levels are a little confusing, and their diagram doesn't clarify the order of the levels. The text does list the levels (adding "technical," which can be disputed) however.<br /><br />Nevertheless, I am glad to see more coverage of this topic here and elsewhere.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-45700389146242936662015-04-27T13:04:52.576-04:002015-04-27T13:04:52.576-04:00@anon,
Thanks for leaving a comment. I do agree t...@anon,<br /><br />Thanks for leaving a comment. I do agree the deficient in skilled professionals will impact an organization's ability to do this. However, I disagree that to pull this off can only be done using an external SOC. If a company does have a skilled professional all of this can be put in place using this in-house expertise. If the company doesn't have the skillset then it will become difficult to do. An external SOC may help with increasing visibility but the company itself will still need to develop the skillset to be able to respond to and document what the external SOC sends them. If the company can't react to the SOC alerts then it makes you wonder why are they doing it in the first place. Another option for these companies is to hire the external skillset or reach out to another organization with the skillset to build it for them and to help develop their staff. After it is built then parts of it can be outsourced to an external vendor while other parts managed in-house. This could work and be an option for companies without the skillset but it is an assumption on my part since I haven't seen this built in this manner.<br /><br />To pull off what I'm describing is a challenge and is really dependent on having access to people with the skillset to manage it. How companies get this skillset while competing with other companies is the first hurdle they'll need to overcome.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-68321333181492719322015-04-27T12:08:38.708-04:002015-04-27T12:08:38.708-04:00Great write-up Corey, would it be wise to say cons...Great write-up Corey, would it be wise to say considering the fact that the industry is currently deficient in skilled cyber security professionals that this would only work if companies leveraged SOCs from companies like FireEye, GuidePoint, Fishnet Security, Dell Secureworks, etc.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-48565149734610220022015-04-27T09:49:57.750-04:002015-04-27T09:49:57.750-04:00Harlan,
That is a tough question and one I though...Harlan,<br /><br />That is a tough question and one I thought about a lot. There are some things going against these business leaders. For one, they are probably mostly exposed to the marketing hype that tries to present the issue in a way to get the leaders to buy a service or product.<br /><br />In some ways, I think it goes back to what we discussed at one point. To put something like this in place requires access to people with the skillset to put it together and communicate it to the business leaders. There are two types of skillsets required. The first is the enterprise detection and response skillset to actually build it. The second and equally important is someone who knows the organization, knows how to work things through the organization, and how to get buy-in from various stakeholders. This person is the one who communicates with the business leaders and gets them to agree to a continuous incident response process in place. <br /><br />If a business leader has both of these skillset available then it is on the people with the skills to communicate to this leader the threat landscape and how to address the risk. If the business leader doesn't have the skillset then the only option is to either find it (and then acquire it) or to buy-in to the marketing hype and then hope for the best.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-70009462851541782462015-04-27T07:02:11.968-04:002015-04-27T07:02:11.968-04:00Great post, Corey...the question now is, how do bu...Great post, Corey...the question now is, how do business leaders accomplish this? H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-11678564789562852862015-04-27T06:47:05.145-04:002015-04-27T06:47:05.145-04:00@anon,
There are not many books on the subject an...@anon,<br /><br />There are not many books on the subject and I did read the entire book. Parts of it were alright but overall I didn't think too highly of the book. The approach the author describes is very expensive and other areas are completely missed. Hope this helpsCorey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-44456277387339106712015-04-27T06:25:41.270-04:002015-04-27T06:25:41.270-04:00Thank you for a great post (as always)! Have you r...Thank you for a great post (as always)! Have you read the entire book you referenced: Building an Intelligence-Led Security Program authored by Allan Liska? The two reviews on Amazon weren't exactly stellar. I'm curious about your thoughts. Thanks!Anonymousnoreply@blogger.com