Accelerating Incident Response

How integrated services reduce risk and the

impact of a security breach to organizations

Managed Security Services and Incident Response

Table of Contents

Executive Summary .................................................................. 3

Security is Risk Management ....................................................... 4

Managed Security, Incident Response and Risk ................................. 5

Do-It-Yourself Security .............................................................. 6

MSS + Incident Response ............................................................ 9

Incident Response on deck ..................................................... 11

Conclusion ............................................................................ 12

Copyright 2013 Dell SecureWorks Page 2

Executive Summary
Cyber security is a process, not a destination. No matter how well youre prepared, chances are you
will be hacked at some point. Along with a strong security defense strategy, you need a plan to
investigate and remediate a breach.

Many organizations outsource basic security tasks to a Managed Security Services Provider (MSSP).
Unlike an IT department, the MSSP has purpose-built tools and processes focused solely on securing
your environment. MSSPs also have better visibility into the broad threat landscape because they
manage thousands of networks. Given those factors, its widely assumed a MSSP can deliver security
more effectively and efficiently than you can do on your own.

A mature MSSP can also investigate and remediate attacks. Incident Responders are specially trained
to deal with the entirety of a breach, which includes containing and eradicating the adversary, malware
code analysis, digital forensics investigation, and post-event corrective action.

This paper presents the advantages of a single-outsourced solution for managed security services and
incident response. A qualified MSSP with experienced incident responders on staff can significantly
reduce the time it takes to control a breach. Using security operations data gathered from monitoring
and managing the network, responders have a head start on a swift response.

Copyright 2013 Dell SecureWorks Page 3

Security is Risk Management
The threat landscape is complex and constantly evolving. In this never-ending arms race, the bad guys
change tactics, techniques and procedures (TTP) daily. Unless youre in the cyber security business,
you cant possibly throw enough budget or staff at the problem to keep pace.

Consequentially, security becomes an exercise in risk management. Your leadership team must decide
what level of risk your organization will accept:

Eliminate as much risk as possible operating within budget and resource constraints
Implement strategies or policies to treat known or understood risk
Leave some level of known or identified risk as untreated
Acknowledge unmitigated risk, which are unknown and/or not manageable due to the
organizations capabilities and resources

When building your security program, consider mapping it to your risk profile. The approach you take
will determine your risk exposure.

Copyright 2013 Dell SecureWorks Page 4

Managed Security, Incident Response and Risk
MSSPs act as an unblinking eye, with systems and security analysts watching for anomalous activity
24x7x365 and escalate events of concern for further review and validation.

In the context of risk, MSSPs can eliminate and reduce risk faced by organizations to a more
acceptable level than what most can achieve internally. This is due to a number of operational factors.

In addition, the use of integrated services can boost efficiencies and ultimately mitigate more risk than
what can be done through siloed operations.

Addressing risk through various security sourcing scenarios

Copyright 2013 Dell SecureWorks Page 5

Do-It-Yourself Security
The do-it-yourself (DIY) model of security operations is the riskiest. For most
IT staff, security is one of many daily tasks. Around-the-clock vigilance isnt
possible. Yet every alert that goes unnoticed or unresolved can heighten the
risk of cyber-attack.

Even the best in-house managed security operations team can only address
a portion of the actual threats you face. You need information about what is
happening beyond your perimeter to understand the full scope. You then
need the ability to consume the data and act on it.

Very few organizations can find that caliber of expertise. Fewer still can
afford to staff their bench with full-time talent. Every gap in your security
program creates more risk.

Internal
security
operations, no
Response
capability

Copyright 2013 Dell SecureWorks Page 6

Managed Security Services Provider
Outsourced managed security services can offer better protection than most
organizations can attain on their own. They provide:

1. A sole focus on security without the distraction of other IT tasks. The

only job a MSSP has is to protect your network.
2. Intelligence gained from the breadth and depth of networks they
manage. MSSPs have visibility into hundreds or even thousands of IT
environments and untold numbers of events. By contrast, a single
organization can only see their environment. Greater visibility
increases the ability to apply intelligence to stop a threat earlier in the
attack cycle.
3. Around-the-clock monitoring and management via a Security
Operations Center (SOC). Cyber threats arent confined to business
hours. Attackers are patient and persistent so 24x7x365 vigilance is
not optional.

Security Gaps and Unmitigated Risk Still Exist

MSSP with no
Even though a MSSP can provide better protection, there is still no silver Response
bullet when it comes to todays security threats. Unmitigated risk is in a capability
constant state of flux because attackers are always changing their TTP. To
further complicate things, bad guys can find vulnerabilities in new attack
surfaces like cloud computing and bring-your-own-device (BYOD).

Consider that attackers have the time and patience to execute their plan.
They strike when theyre ready, not when you are best prepared. Therefore,
you have to bring real-world intelligence into the fight. The effective
formulation and application of intelligence plays a significant role in reducing
unmitigated risk. A mature MSSP will have some level of research and
intelligence capabilities.

There are three important ways an intelligence organization augments

managed security services.

First, researchers analyze malware and deploy countermeasures. Those

countermeasures are pushed out to the entire MSSP customer base to
improve protection.

Copyright 2013 Dell SecureWorks Page 7

Second, researchers seek to identify unknown threats. They can provide non-signature based
protection across the MSSPs threat management environment. In addition, they offer context behind
the threat.

Third, researchers can reverse-engineer malware found in the wild during incident response activities.
Their findings benefit the spectrum of MSSP customers.

MSSPs with extensive intelligence and research capabilities can provide valuable insights into attacker
motivations, actions and planning methods. This cycle of intelligence-sharing is the best defense
against threats.

Copyright 2013 Dell SecureWorks Page 8

MSS + Incident Response
If information-sharing is essential, data must
flow seamlessly between the managed security
services team, researchers and incident
responders. A smooth interaction yields faster
detection and minimizes the impact of a security
breach.

Data from MSS to IR

Security data is critical to incident response. It
provides the clues responders need to solve the
how and why of a breach. Quick access to
information is essential. Consider the options:
1. If your MSSP does not provide your
response services, legal or bureaucratic
barriers may slow down or halt data
retrieval. Additionally, forensic
information may be kept in silos and take
time to assemble. In the heat of battle,
every minute of delay equates to lost
time, productivity, money or reputation.
2. If your MSSP is your incident responder,
security data is readily available.
Responders can quickly look under the
hood and dive deep into the customers
log and event data. Immediate data
access enables responders to control the
breach that much faster.

Data from IR to MSS

The information gained during an incident
strengthens security operations for the MSSP,
which ultimately benefits you.
During and after an investigation, responders
may discover new threats and develop better Process and information flows
detection and countermeasure practices. They across Incident Response,
can quickly pass recommendations along to the Managed Security and Research
security operations team, who can leverage the
information across the entire customer base.

Copyright 2013 Dell SecureWorks Page 9

Responders help close the loop
Incident Response teams have front-line visibility into TTP across a wide
range of incidents and organizations. In an integrated MSSP-IR model,
responders can pass intelligence to researchers. This flow of intelligence
enables researchers to:

Develop countermeasures, which then can be applied across all

MSSP customers to improve their network defenses.
Gain additional context about threat actors and methods that may
help future correlation and research.

Responders can also leverage valuable consulting services offered by the

MSSP like web application assessments, penetration testing and more.
These preventative services help disclose vulnerabilities that an attacker
can use to regain access into your environment.

Single-
sourced
integrated
MSS +
Response
capability

Copyright 2013 Dell SecureWorks Page 10

Incident Response on deck
For MSSP customers, the retainer is essentially the gateway to capitalize on the inherent advantages of
integration between Managed Security operations and Incident Response services.

An incident response retainer can shorten the time to resolution from days to minutes. During an
active incident, the last thing you want to do is waste time selecting an IR partner. If you have a
retainer in place, you have a team on deck that can be deployed immediately.

However, all retainers are not created equal. Theres a good chance your organization will not
experience any major issues or concerns related to a potential incident. Its for this reason
organizations should look for an Incident Response provider that allows unused retainer hours to be
used toward other services for when a breach doesnt occur.

Copyright 2013 Dell SecureWorks Page 11

Conclusion

Information security best practices are all about mitigating risks. There is no 100 percent fail-safe
security program, device or system. It takes an orchestrated effort between managed security services,
threat intelligence and incident response to provide the strongest defense.

This paper provides a business case for single-sourcing these functions to gain benefits that include:

Reducing investigation time with real-time access to data

Enhancing remediation solutions through applied cyber intelligence
Improving overall security program through a continuous communications loop

Copyright 2013 Dell SecureWorks Page 12

Additional information
The Dell SecureWorks Incident Response and Digital Forensics service provides rapid containment
and eradication of threats, minimizing the duration and impact of a security breach. Leveraging elite
cyber threat intelligence and global visibility, we can help you prepare for, respond to and recover
from even the most complex and large-scale security incidents.
For more information:

Contact your Dell SecureWorks account representative

Call us at 877-905-6661

Visit www.secureworks.com

Email us at info@secureworks.com

Dell SecureWorks uses cyber threat intelligence to provide predictive, continuous and responsive
protection for thousands of organizations worldwide. Enriched by intelligence from our Counter
Threat Unit research team, Dell SecureWorks Information Security Services help organizations
proactively fortify defenses, continuously detect and stop cyber-attacks, and recover faster from
security breaches. For more information, visit http://www.secureworks.com.

Copyright 2013 Dell SecureWorks Page 13