January 2015 is already winding down, but it's not too late to think about the lessons of 2014. For anyone in information security, 2014 was a year marked by spectacular breaches. It ended with Sony Pictures Entertainment getting its clock cleaned by hackers, quite possibly from North Korea. Wouldn't it be great if 2015 doesn't include the same sort of clock cleaning at your company?
Having run thousands of incident response operations over the years, I have come to appreciate the value of visibility. I'm talking about meaningful data collection, from the network layer up to the applications. I'm talking about data that can help the computer security incident response team (CSIRT) understand with a high degree of confidence what happened. You can take steps to make sure that your CSIRT will have that kind of data, well organized, so they're not lost in a sea of meaningless data or grasping for clues with no data at all. If you do nothing to improve visibility, your CSIRT might be able to draw some basic conclusions about an incident, but chances are they won't be able to tell executive decision-makers what they really want to know: precisely what happened in an incident and the extent of the business impact.
So my suggestion for 2015 is to increase your ability to see an incident. Make it a goal to be able to accurately and rapidly establish your situational awareness during and after an incident. Good situational awareness is vital to your executive team as it sets out to make the difficult business decisions in the wake of an incident.
First, take stock of what you already have in place for visibility. Take a critical look at your event logging, data analysis, data retention, etc. Start at the network level, and ensure that you can see into all of your mission-critical networks. Then move on to other networks, such as those for connecting desktops and mobile devices. Do an inventory and establish a clear picture in your mind of how well the data you're already collecting will help you reconstruct the events around an incident. You need to know what your current abilities will do for you situational awareness.
Next, you should move up to your servers: application servers, departmental servers, etc. Do another inventory and determine what logging is in place and how it relates to and correlates with the network-level data. Figure out how well that data will help you determine the business impact of an incident. Even though server logs can probably shed only a small amount of light, you still need to know just what information they contain and how best you can leverage that information during an incident.