Incident Response Requires a New AppSec Model>
Security Boulevard – Patrick Spencer
A recent report published by Dark Reading in concert with several technology companies such as Palo Alto Networks, âHow Enterprises Respond to the Incident Response Challenge,â seeks to understand the practice of incident response across enterprises. One key takeaway from the report is that security leaders appear to overestimate their ability to detect and respond to security incidents. One of the areas of exploration in the report includes what actually constitutes an incident response. Compared with 2019, 2020 responses reveal, in general, an increase across all categories, thus reflecting an ongoing maturation of security in organizations and widespread consensus that the volume of malicious attacks continues to climb. For example, the report shows anomalous use of an organizationâs internal systems, applications, or networks grew from 43% in 2019 to 69% in 2020, and a suspected case of unauthorized use of applications or data by an employee or other credentialed user jumped from 46% in 2019 to 66% in 2020. Taking an audit of the most common types of security incidents provides an at-a-glance view of attack vectors and methodologies. Understanding the various forms of attacks (probes or true exploits) helps identify system weaknesses and potential entry points, including third-party risks, with only 41% of organizations intermittently keeping in touch with business partners on incident response matters. A good starting point for many is the National Institute of Standards and Technology (NIST) SP 800-53 requirements, especially the new standards around interactive application security testing (SA-11[9], IAST) and runtime application self-protection (SI-7[17], RASP). Per the report findings, most organizations may be dangerously overestimating their ability to detect security incidents. Over 36% of respondents find it difficult to determine the extent of an incident. In addition to the above, false positives are listed in the report as a reoccurring problemâ22% cite time responding to false alerts as one of their top incident response challenges. So, what can be done to address this problem of false positives and false negatives and their deleterious impact on incident response. As a starting point, perimeter-based security needs to be supplemented with or replaced by a completely new approach to AppSec. Rather than trying to protect applications in runtime from the outside-in, an opposite approach is neededâfrom the inside-out. It also requires the use of security instrumentation that resides within the application runtime, with sensors deployed across the entire application stack. Incident response is a critical linchpin in how organizations manage their risk. An incident risk program that is weighed down with inefficiencies, or even alert fatigue, resulting from false positives can become a serious risk factor in and of itself. The corollary is true as well.
Link: https://securityboulevard.com/2020/04/incident-response-requires-a-new-appsec-model/