Introduction
Incident response is the most visible function for a typical CISO. For good or for ill, it is the primary way CISOs are judged. Beyond the immediate impact of demonstrating the organization’s resilience to customers, management and employees, how an organization deals with incident response says a lot about its culture. Does the organization recognize the challenges and opportunities of doing business in the twenty-first century? Does management invest in and support the security hygiene and preparation it takes to protect long-term value delivery while competing in a digital world?
Bill starts by focusing the reader on the training and preparation that must be done, specifically triage training for the security team and situational training for the whole organization. Quickly recognizing and responding to incidents can be the difference between a minor disruption and a major breach. Communicating effectively during an incident is also critical to maintaining the confidence of the organization’s many stakeholders, and preparation is key to success here as well.
Matt reminds us of the ongoing yet still emerging convergence of information technology (IT) and operational technology (OT). The ability of errors in code or network misconfigurations to contribute to the physical harm done to a person or group adds a new dynamic to data protection. In addition to increased technical complexity, this now forces a level of due care that is new to many industries. Just as interactions between the physical and digital world are exploding in scope, so too are people becoming more aware of the peril of being an open book to merchants and criminals and demanding greater say over and greater protection for the use of their online identities.
Gary shows how organizations can demonstrate value in their incident response program by first understanding that the business must be the focus. Once the organization realizes that incident response is about staying in business, not playing spy-catcher and whack-a-hacker, investing in incident response becomes investing in the organization, its customers, and its people. He then walks us through building the incident response program and measuring its success.
Some of the questions the authors used to frame their thoughts for this chapter include:
♦ What is the business value of an Incident Response Program (IRP)?
♦ What are the processes to create an IRP?
♦ What are some methods to measures the effectiveness of an organization’s IRP and why is it important to the CISO?
Incident Response – a CISO’s Best Friend – Hayslip
I want to set the stage for us. In the early morning hours, as the CISO for a global software company, you are awakened from a deep sleep by the chirping of an emergency number on your smartphone. As you proceed to talk in hushed whispers, you are informed by your managed security services provider (MSSP) that their SOC analysts are reporting an anomalous incident in your organization’s primary datacenter.
The MSSP used the incident response communications tree and contacted the company network team and security liaison staff, who are now reporting they see suspicious network traffic and upon investigation have found evidence of a malware outbreak in several production servers. As you wake up and shift into troubleshooting mode, you receive more troubling information. This issue doesn’t affect just a couple of servers but has manifested itself as ransomware on critical production databases. With this information, as the CISO, it’s time to transition into your role as the Incident Response Team Manager and begin the activation of the company’s Security Incident Response Plan.
Cybersecurity leaders today know their roles have matured and they must align their departments and security programs to the business and support its strategic goals to be successful. However, one area many organizations and CISOs still need assistance with is incident response. In 2016, SANS surveyed 591 security professionals about the state of incident response in their organizations (Bromiley 2016). There was some good news – 76% of those security professionals had dedicated internal IR teams, an increase from the SANS 2015 survey.
However, there is still much work to be done. Approximately 21% said that their time to detect malware in their networks, or “dwell time,” was two to seven days, while 40% indicated that they could detect an incident in less than one day. Some other bleak statistics: malware remains the underlying cause of most reported breaches, at 69%, with unauthorized access seen as a rising menace due to attackers taking advantage of weak, outdated remote access and authentication mechanisms. This report noted that 65% of the security professionals surveyed were still dealing with a shortage of skilled personnel, and only 58% of organizations admit to regularly reviewing and updating their IR processes.
The report demonstrates that incident response, as a program, is in a state of change in organizations today and when there is a security incident, many lack the ability to lead a coordinated response to the event. I am sure there are reasons why organizations do not have formal incident response policies or documented incident response methodologies. Some companies focus on purchasing technology in the belief that when an event occurs, the purchased hardware and software will save the day. Unfortunately, they are missing a critical point – incident response isn’t about technology, it is really about business.
It’s About the Business
At its core, incident response is about an organization’s strategy and business processes, it is tactical and will incorporate stakeholders from many departments within the company as well as external partners. Incident response is an action plan for dealing with incidents like internal and external intrusions, cybercrime, disclosure of sensitive information, or denial-of-service attacks. In typical organizations, the CISO is tasked with developing the Incident Response Plan and managing the Incident Response Team. This is why the questions we will discuss focus on the business value of your incident response, the processes to follow for an effective program, and how the CISO can measure the effectiveness of their IR program.
Cybercriminals are successfully targeting and compromising businesses of every size across all industry sectors. This ongoing digital onslaught demonstrates the need for organizations to be prepared to respond to the inevitable data breach. They should guide their response with a methodical plan designed to manage a cybersecurity incident with the goals of limiting impact to business operations, increasing the confidence of external stakeholders, and reducing recovery time and incident remediation costs. These goals mean that organizations need to require their CISOs to create an incident response program tailored to the company’s strategic operations.
However, many organizations lose sight of their incident response program’s strategic value. Instead, incident response documentation describing how to act in the event of a breach is forgotten and soon out of date. The documentation quickly becomes ineffective for key decision makers; too generic, and unhelpful for making critical, informed decisions. I therefore chose the first question for our discussion to be about the business value of an incident response program. As CISO, there will be times when you will need to defend the resources needed for the incident response program, and you will need to be able to describe several business cases that demonstrate the value it brings to the company and its operations.
This leads us to our first question: “What is the business value of an Incident Response Program (IRP)?”
Cybersecurity incidents are on the rise and now frequently headline news around the world. Many of the recent attacks have brought severe damage to organizations of all types, including governments and international nonprofits. An organization with a mature incident response program would have a methodical course of action for responding to these attacks in a fast, effective, and comprehensive manner. However, many organizations do not see incident response as a mature process. Instead, they see it as a collection of disjointed practices and procedures, thus they prefer to contract it out to third parties.
How Incident Response Adds Value
To address this, I will discuss some of the issues companies see when looking at incident response and describe several cases that highlight how incident response can provide value to an organization. As we begin, some of the contention around investing in an internal incident response program is as follows:
♦ There are too many common definitions of what constitutes a cybersecurity incident. With this wide variety of interpretations resulting in organizations adopting different views on how to manage them. Many organizations consider it difficult to address this effectively and understand the level of incident response capability they require.
◊ Response – That is true for many companies when they first start the process of addressing incident response and allocating resources for their CISO to build an IRP. However, there are amazing references from both NIST SP 800-61r2 (NIST 2012) and ISO/IEC 27035 (ISO 2016) to begin this process, so it is not unattainable.
♦ There are different sources and types of cybersecurity incidents. Some appear to originate from minor criminal groups and produce annoying disruptions, others from major organized crime syndicates that result in business-ending events. Plus, there are so many types of cyber incidents, such as hacking, malware, or social engineering. All of this generates confusion, and organizations just want something that is manageable. Given all this, why not outsourceit to a partner who specializes in incident response?
◊ Response – There are always some incident response services that can be outsourcedto a third party. With that said, the business still has accountability for how it manages its assets during a breach and must be able to answer the questions of “reasonable care.” For example, did the organization implement reasonable security controls and follow industry best practices to reduce risk exposure as much as possible? If a company doesn’t have an incident response program, they are likely not meeting a “reasonable care” standard.
Even if a contracted third party does the primary work for the incident response program, the business still have an incident response plan. The plan will cover communication with its partners, what resources to activate for an incident, who has overall responsibility to manage the incident, and how and when to report its findings to executive leadership. In a sea of misinformation on how to deal with an incident, an incident response program provides the business clarity to reduce the incident’s impact and return business operations to normal.
♦ Many organizations do not understand their state of readiness; they lack insight into how they would respond to a cybersecurity incident. In fact, many organizations are typically not well prepared in terms of having any personnel assigned to an incident response team or providing training to grow sufficient technical skills for team members. Even if they have an incident response program, they lack clear policies that provide guidelines on how to identify a cybersecurity incident, investigate the incident, take appropriate remediation action based on the incident, and recover critical business systems.
Many organizations also don’t fully understand the location or use of their critical business data. They lack a complete picture of how their enterprise network topology is architected, and they don’t know all of their egress/ingress points to the Internet. Finally, many of them lack information on the incidents themselves. Having no incident response program or an immature one at best, they respond to an incident after it impacts the organization and rarely collect internal threat intelligence on when, where, and how the incident occurred.
◊ Response – An incident response plan, policies, and program provide a framework that enables quick decisions and provides a communication process to access critical third partieswhen needed. The IRP would have procedures to help team members know what they need to do, how to do it, and when to do it during a time-critical cybersecurity incident. The IRP process, led by the CISO, will also provide organizations with an understanding of the lifecycle of their data and how their networks are architected, and help in determining what event logs are considered appropriate for collecting and storage.
During the remediation process, the collection of event logs will enable team members to understand when, where, and how the incident occurred. Finally, the IRP helps the organization define their business priorities; it provides understanding about its interdependencies between processes, support systems, and partners, such as cloud providers or MSPs.
♦ Many organizations opt to purchase the services of properly qualifiedthird-party Yes, this option can significantly help organizations. It can provide qualified personnel with the experience to handle cyber incidents more effectively and appropriately. However, the company must interface and work with these competent individuals because they need context into the organization’s networks, its data, applications, and business practices to be effective. Even having the full IRP process contracted out, organizations will still have to participate in a cybersecurity-related incident. There is no sitting on the sidelines.
◊ Response – Outsourcingto a managed security services provider (MSSP) to access more experienced, dedicated technical staff to respond to sophisticated cybersecurity incidents is prudent. If the organization lacks the resources to employ an internal IRP fully, then I would suggest a hybrid approach to augment those internal staff who will execute and manage the organization’s response to an incident. A hybrid approach is one in which the company has an incident response program, created and managed by the CISO, with members from across the organization and trusted external partners. The program specifies in detail the business’ response to particular types of incidents and documents when MSSP staff are required to assist in conducting technical investigations or performing post-incident analysis.
Typical business continuity/disaster recovery plans inadequately cover the impact cybersecurity incidents can have on organizations. These incidents can affect the ability to operate strategic business units and can lead to loss of reputation in a competitive industry and financial losses due to fleeing customers or third-party lawsuits. These are just some of the effects that a business can experience due to a cybersecurity incident if they have no IRP and are not prepared to defend themselves.
However, if an organization funds an incident response program they now have a platform to focus on upcoming security issues, facilitate the centralized reporting of incidents, and coordinate a response to those incidents. In fact, an IRP managed by the CISO can provide a platform to educate staff on security awareness, promote good cyber hygiene, and provide contacts to legal and criminal investigative units both internal and external to the business. I believe that all of these positive outcomes make the case that a mature IRP process provides value to any organization. Incident response is not about technology; it is about business and how the company responds using people, processes, technology, and data to defend that business.
Building Your Incident Response Program
As organizations begin to build their incident response capability, they will want to identify the best strategy for putting an incident response program in place. They will not only want to know what has worked well for others within their industry, but also want some guidance on the process itself and requirements they should follow to establish an effective incident response capability. With that, let us move on to our next discussion: “What are the processes to create an IRP?”
The primary objective of incident response should be to guide the incident response team members in a methodical process to respond to and remediate an incident. Focus this process on managing the cyber event in a methodical manner to reduce its impact on the company, reduce the recovery time for full operations, and minimize the costs to triage the incident. There are numerous questions that the CISO and the company will need to answer as they start the process of establishing an Incident Response Program (IRP).