#RSAC: Putting Humans at the Center of Incident Response

  • People should be at the center of organizations’ incident response programs, according to two Proofpoint speakers during a session at the RSA Conference 2022.

    Opening up, Brian Reed, sr. director, strategy at Proofpoint, observed that “a lot of the time we get caught up looking at technology, but it’s people at the end of the day who matter.”

    He highlighted the NIST 800-61 incident response framework, which sets out what security teams must do before, during and after an incident. This framework can be used to help build an incident response program “in a people-centric way,” said Reed.

    Jeremy Whittkop, senior director, technical services at Proofpoint, argued that post-incident activities are the most crucial component of this framework. He urged organizations to research other incidents and speak with peers to understand incidents they have been through. “The sad thing is that similar companies and industries get hit by the same things over and over again because they don’t learn from others’ mistakes,” he outlined.

    Both speakers outlined the importance of tabletop exercises to strengthen incident response practices. “The most important thing is to make sure the lines of communications between different groups who might not always do a great job talking to each other are wide open,” commented Reed.

    Whittkop emphasized that there is not a lot of time to respond to a successful attack, and therefore “everybody that needs to be involved needs to know what they are doing.” This can sometimes involve having to quickly contact law enforcement to catch a malicious insider threat actor.

    To effectively respond to insider threats, organizations need to understand the different types of behaviors and motivations employed by these actors. Reed advised classifying these individuals into three categories: careless users, compromised users and malicious users. “What’s fascinating by the percentages is that the careless user is by far the majority of cases – the careless, accidental and negligent folks.”

    Once classified, these insiders should be treated in different ways by the organization. “It’s about understanding who the users are and building and designing it around what they do.”

    In addition, the speakers noted that generally, there is an overemphasis on content in incident response. While this is important, you must also account for user interactions with that data, such as context and behavior. This can prevent incorrectly blaming employees for malicious insider threat activity. Whittkop cited a customer who said, “if you’re going to condemn human behavior, you don’t get to be wrong.”

    He added: “It’s not just can I see the thing that’s happened, but can I be sure enough to take action?” Organizations should look to piece together information from multiple sources to make this assessment, commented Reed.

    Another essential aspect of a human-centric incident response program highlighted in the session is establishing an organization’s ‘who, what and why.’ This can enable the most effective response and protect essential data:

    Who – are your high-risk users, e.g., those with low-security awareness or who have lots of privileges

    What – data are you worried about

    How – your data might be at risk