Almost one month ago I wrote Predictions for 2008. They included 2) Expect greater military involvement in defending private sector networks. and 4) Expect greater attention paid to incident response and network forensics, and less on prevention.
Relevant to number 2, today I read Intelligence Chief Proposes Wide Cyber Surveillance, which says:
US National Intelligence Director says government should be able to tap all email, file transfers, and Web searches..
In an interview scheduled to be published in Monday's forthcoming edition of The New Yorker, McConnell offers some insight into his long-awaited draft U.S. Cyber-Security Policy...
To accomplish his plan, the government must have the ability to read all the information crossing the Internet in the United States -- in order to protect it from abuse.
The plan gives government agencies the right to monitor email, file transfers, and even Web searches, according to reports. McConnell's proposals also include reducing the number of gateways between government computers and the Internet from 2,000 to 50, as well as implementing a dragnet to monitor electronic traffic.
Relevant to number 4, today I read
Tech Insight: Incident Response, which says:
Incident response (IR) for many IT shops traditionally has been accomplished by cobbling together tools from various sources with a script-based tool that automates the collection of data from the suspect system. An IR team member or help desk technician is sent to investigate a problem, with a USB thumb drive in hand that contains the collection of tools. The tools are then run, and the output analyzed to detect the source of the suspicious behavior. It’s neither a quick nor efficient process.
All manual incident response is slow response, says Kevin Mandia, president and CEO of Mandiant. A key driver for organizations dealing with incidents, especially those in the financial sector, Mandia says, is speed and minimizing exposure: The IR team must be able to quickly grab information about the incident, determine what’s happening, and respond appropriately to minimize collateral damage...
With new products on the horizon, IT groups looking to streamline their current IR practices or to simply start an IR program for the first time, should keep an eye on evolving products and new releases due out in within the next month.
I plan to visit MANDIANT and HBGary within the next month. I have trial software from Technology Pathways to test. I have a copy of NetWitness Investigator Field Edition in my lab kit now. I have a copies of AccessData FTK 2.0 and Guidance Software Encase Forensic en route. There's a lot happening in the IR and forensic space, so I think 2008 will be a big year.