Bruce Schneier: 'Incident response is failing'

Renowned cryptographer Bruce Schneier took aim at the security industry and poor incident response planning during a typically forthright talk in London yesterday.

RSA 2014: Bruce Schneier champions encryption in 'golden age' of government surveillance
RSA 2014: Bruce Schneier champions encryption in 'golden age' of government surveillance

Schneier was a keynote speaker at the IP Expo Europe conference, where his talk on the ‘future of incident response' took a closer look at emerging trends in cyber-crime, common security failings and how companies must transition from prevention and detection to response.  

Citing a cyber-criminal landscape which now has ‘an entire supply chain' – comments backed up by a recent study from Europol's European Cybercrime Centre (EC3), Schneier looked at how economics and human psychology are behind mistakes in the information security field.

He mentioned that high software switching costs make it hard for companies and consumers to switch services, leading to success to often be dictated by the IT vendors with the biggest budgets and most award wins.  In addition, he said that it was human-nature to be risk adverse and that people would often be guided by price rather than features.

“There is reluctance to spend the money and people are predisposed to take the chance,” he said.

“This really does explain security. It's a sale and a small guaranteed loss or a chance at a larger loss that maybe you get hacked. It's a hard sell,” he said, equating selling security solutions to insurance premiums or burglar alarms.

Incident response

Schneier said that the information security field is now increasingly focusing on response, having seen prevention and detection be the main themes of the 1990s and early 2000s respectively.

“We are now in the decade of response.”

Yet he said that with this comes problems – he appeared to suggest a lack of expertise in this area and that's perhaps not a surprise given that recent studies indicate that most data breaches either remain undetected for months, or are first discovered by law enforcement. A study released earlier this year indicated that one in three businesses have no incident response plan.

Even automation, one of the latest buzzwords in the sector, is not geared up to deal with incident response, said Schneier.

“Automation has taken away a lot of vulnerabilities, using things like automated software updates. But the problem with response is that you can't automate it,” he said, mentioning how different companies would likely have different incident response plans, vastly different networks and work in accordance with different regulators.

“In incident response I think we are failing in all areas.”

He believes that the OODA (observe, orient, decide and act) loop – a strategy which was developed by the US armed forces when fighting in the air – should be embraced by businesses as they approach incident response.

“What we need to do as security people is build, use and make tools to get inside the observe, orient, decide and act (OODA) loop, and in incident response it is failing and we need to do better and we can do better than the attackers, and use tools that aid people.

Brian Honan, managing director and consultant at BH Consulting and an adviser to Europol, told SCMagazineUK.com shortly after the presentation that a lot of the concerns around incident response come from security complacency.

“A lot of companies have the attitude that they're not going to be breached. Incident response has been the poor relation of security – security reviews are hardly looked at and a lot of companies make it up as they go along - usually in the middle of a data breach,” said Honan.

He added that all parts of the business must be part of the process, which should be tested and fine-tuned.

“Incident response is not just a technical discipline,” he noted, adding that HR, PR and legal departments also need to be involved in the aftermath of a security incident. “You need to document [the incident] and run through the various scenarios.”

Andrew Rose, CISO at NATs (National Air Traffic Service) and former security analyst at Forrester, told SC recently that 2015 could be the year where incident response procedures are revised.

“I think we'll see very clear processes around incident response,” said Rose, who added that these plans are often out-of-date having been neglected in the past.

“A lot of organisations have IR processes they drag out if something goes wrong, but they're probably low-tech and not very effective. Over the next 12 months I'd expect to see more rigour and tools around incident response.”

“CISOs will expect these tools to be a lot more refined so that they're able to respond in hours rather than days.”