Proactive incident response: Do it by the book

When you need to set best practices for security-event response, learn from Mandiant's example and its forensics expertise

I was an EMS paramedic in a prior career. At age 19, I was starting IVs, delivering babies, shocking cardiac arrest victims, and using the "jaws of life." I saw and learned a lot. Strangely, I find upgrading Microsoft Exchange on a huge network much more stressful.

As a young paramedic, I noticed something peculiar. In first aid class they teach you the “official” way to do things, be it how to remove someone from a car on a backboard, how to access a trauma victim, or how to do CPR. But in the field, as a newbie, you quickly learn that most rescue people don’t do things by the book. The book is for geeks. In the field, you have to move fast: People’s lives are on the line! And unless you have a very good mentor, it’s the way you begin to do things.

Pretty soon you notice that the paramedics and leaders you respect the most, who seem to have the best outcomes, who are always calm under pressure, do the job by the book every time. The book way, it turns out, is the best way. It may not be the fastest way, but it is the best way overall. If you slow down and do things the way you’ve practiced a hundred times, just like in prescribed theory, you’ll eventually become one of the leaders who commands respect, too.

Computer incident response is a lot like that. If you get the right theory, and practice it enough, you'll command respect when the “big one” comes. Right now my respect goes to Mandiant. It goes by the book because it wrote the book -- actually several books -- on incident response.

I’ve taught and written about incident response for most of my professional career. Recently, I was peripherally involved with and incident at a major international corporation that Mandiant was brought in to handle. The corporation has a highly trained, experienced security response team, and it could only rave as the Mandiant pros came in and did their thing. It’s similar to other stories I have heard about Mandiant (formerly known as Red Cliff Consulting).

Mandiant is a quickly growing computer security company focused on proactive incident response and forensics. It focuses on proactive incident response, forensics, education, and related software. The employee list reads like a who’s who in the field; led by Kevin Mandia, the average employee has 15 years of experience and top secret security clearance. Several employees spent time at Foundstone, another excellent firm (and one I used to work for), while others come from the U.S. military and MIT.

What makes Mandiant good (besides the experience) is the practiced professionalism. It's been there and done that, and it follows the book. As one international corporate CSO put it, “If you have a computer security incident, these are the only guys I would call.”

If you haven’t heard about Mandiant before, that's only because it is the go-to vendor for companies that don’t want the publicity. Its business is about 50 percent government-related and 50 percent Fortune 500. If there’s a big e-commerce heist at a major bank or someone in the government is in trouble for letting an unencrypted asset disappear, there’s a good chance Mandiant is involved trying to get the facts and make things right.

Everyone I’ve interviewed said that Mandiant's classes and presentations are among the best they’ve ever taken. Unfortunately, classes aren’t generally available to the public -- your company must hire the firm for private sessions. However, you can read any of the books they’ve authored or helped with or read their many magazine articles.

If your company can’t afford to fund a private class, try to attend any of the public presentations it gives. But get there early if you want a seat -- more than 500 people attended Kevin Mandia’s presentations at this year’s Black Hat conference.

Mandiant offers two free software programs: First Response and Web Historian. First Response has been downloaded more than 2,000 times. It allows proactive forensics: You install First Response as a Windows service before an event happens, and when it does, you’ll be able to easily retrieve forensic evidence, just like the professionals.

Web Historian has been downloaded more than 20,000 times. It allows a forensic investigator to dump the history logs of most of today’s popular browsers, including Internet Explorer 7, Firefox, Safari, Netscape, and Opera.

If you do incident response for a living, I encourage you to read one of Mandiant's books on the subject. And when the “big one” happens, follow the book.