Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Incident Response

Always Answer a Question with a Question

People who know me know that I love to ask questions. In fact, people sometimes ask me: “Why do you always answer a question with a question?” To this I reply: “Why not?”

People who know me know that I love to ask questions. In fact, people sometimes ask me: “Why do you always answer a question with a question?” To this I reply: “Why not?”

In all seriousness, asking the right questions is one of the most important and fundamental aspects of a successful security program. Time and time again over the course of my career, I’ve seen that the inability to ask the right questions is one of the biggest challenges any organization will face in improving its security posture. Why is this? Allow me to explain.

There are two oft-used phrases that come to mind and help me to illustrate my point. I’m sure we’ve all heard the phrases “garbage in, garbage out” and “ask a stupid question, get a stupid answer”. These couldn’t be truer in the realm of information security.

Questions empower us to move from the problem to the solution. First and foremost, when our goal is to solve a problem, we must first understand the problem – to its core.

What Security Questions to AskFully grasping the problem is the conception of its solution. From there, we must ask: “What information, technology, knowledge, or otherwise is missing that prevents us from solving this problem?” Understanding the answer to this question subsequently enables us to ask additional, more-detailed questions designed to tease out what we need in order to succeed. As you can see, by asking questions and answering those questions with additional questions, we are working towards solving big problems by breaking them down into smaller, less intractable problems.

If you’ve read my previous pieces, you may notice a theme here. Whether I’ve written on enumerating risks, setting goals and priorities, identifying operational requirements, developing alerting content and logic, analyzing root cause, performing incident response, or any of the other activities that are part of a successful security program, there is a unifying theme. Yes, the topics I have written on are all part of a successful security operations and incident response program. But beyond that, there is a deeper thread that runs through them. They all involve asking the right questions. In my experience, in information security, the question is more important than the answer.

Asking the right questions allows us to approach information security analytically and logically. We need to be able to formulate precise, targeted, incisive queries to hone in on the most relevant data while minimizing time spent with data that are irrelevant. That is the only way to progress towards addressing some of today’s biggest security challenges.

Let’s illustrate this through an example. Say we run a Security Operations Center (SOC) or incident response function that consistently misses intrusions and is almost always notified by a third party. Obviously, at the top of the priority list for this organization is improved detection. But unfortunately, a desire for improved detection alone will not get us to where we need to go. We need to ask the right questions.

Advertisement. Scroll to continue reading.

The obvious initial question to ask is: “Why are my detection rates so poor?” In order to answer this question, we need to get to the core of the issue. Is it because my signal-to-noise ratio is far too low? Or, is it because I do not have the proper visibility into my network and endpoints? Or, could it be that I do not have the proper expertise to vet, qualify, and investigate alerts? Could it be that I do not have sufficiently intelligent alert logic (spear alerting)? Or, could it be that I do not receive sufficient information and intelligence to assist me with detection? Perhaps it is a combination of some or all of the above factors?

As you can see, each of these questions pokes at drastically different root causes. Only though understanding which question or questions addresses the root cause of our poor detection can we begin to address the issue. Once we are able to ask the right questions, we can begin to progress down the path towards a solution. Without this critical step, we are simply wandering, which does not bring us closer to solving our problem.

Let’s look at a second example as well. Recently, I was fortunate enough to have the opportunity to speak at Suits and Spooks Singapore. I joined the panel discussion on “Nation State Challenges in Securing Critical Infrastructure from Digital Attacks.” For those that know me, it will come as no surprise that I took a question-based approach to the discussion. The angle I took was as follows: “Before we can apply the state-of-the-art in both prevention and detection/response to the challenge of securing critical infrastructure, we need to ask a series of questions.”

This is another great example of where asking the right questions is of the utmost importance to addressing the challenge. Consider these points:

1. Definition. What do we consider critical infrastructure? What do we intend to secure? Casting too narrow a net leaves nation states exposed to unforeseen and unmitigated risks. Casting too wide a net leaves nation states with a never-ending list of assets to secure, many of which may be irrelevant.

2. Inventory. Where are our critical infrastructure assets located? This question is obviously predicated by the answer to the previous question. But beyond that, do we even know where the assets we want to secure are located? In many countries, the answer to this question is, unfortunately, no.

3. Strategic plan. How will we go about securing the assets we enumerate? What mix of policy, legislation, regulation, guidance, and other assistance is the right mix?

4. Implementation. When will we address which issues with what resources (budgetary, technology, expertise, and otherwise)?

As you can see, it is one thing to talk about the need to secure critical infrastructure. It is another thing entirely to try and do something about it.

In some circles, it may be considered gauche to answer a question with a question. In information security, I would argue that it’s actually quite necessary.

The next time someone asks you “What is the state of your security program?” or “What are you doing to improve your security posture?” Will you answer them straight up, or will you ask the question “What questions do I need to ask to properly answer that question?”

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.