Incident Response – a CISO’s Best Friend – Hayslip

I want to set the stage for us. In the early morning hours, as the CISO for a global software company, you are awakened from a deep sleep by the chirping of an emergency number on your smartphone. As you proceed to talk in hushed whispers, you are informed by your managed security services provider (MSSP) that their SOC analysts are reporting an anomalous incident in your organization’s primary data center.

The MSSP used the incident response communications tree and contacted the company network team and security liaison staff, who are now reporting they see suspicious network traffic and upon investigation have found evidence of a malware outbreak in several production servers. As you wake up and shift into troubleshooting mode, you receive more troubling information. This issue doesn’t affect just a couple of servers but has manifested itself as ransomware on critical production databases. With this information, as the CISO, it’s time to transition into your role as the Incident Response Team Manager and begin the activation of the company’s Security Incident Response Plan.

Cybersecurity leaders today know their roles have matured and they must align their departments and security programs to the business and support its strategic goals to be successful. However, one area many organizations and CISOs still need assistance with is incident response. In 2016, SANS surveyed 591 security professionals about the state of incident response in their organizations (Bromiley 2016). There was some good news – 76% of those security professionals had dedicated internal IR teams, an increase from the SANS 2015 survey.

However, there is still much work to be done. Approximately 21% said that their time to detect malware in their networks, or “dwell time,” was two to seven days, while 40% indicated that they could detect an incident in less than one day. Some other bleak statistics: malware remains the underlying cause of most reported breaches, at 69%, with unauthorized access seen as a rising menace due to attackers taking advantage of weak, outdated remote access and authentication mechanisms. This report noted that 65% of the security professionals surveyed were still dealing with a shortage of skilled personnel, and only 58% of organizations admit to regularly reviewing and updating their IR processes.

The report demonstrates that incident response, as a program, is in a state of change in organizations today and when there is a security incident, many lack the ability to lead a coordinated response to the event. I am sure there are reasons why organizations do not have formal incident response policies or documented incident response methodologies. Some companies focus on purchasing technology in the belief that when an event occurs, the purchased hardware and software will save the day. Unfortunately, they are missing a critical point – incident response isn’t about technology, it is really about business.

It’s About the Business

At its core, incident response is about an organization’s strategy and business processes, it is tactical and will incorporate stakeholders from many departments within the company as well as external partners. Incident response is an action plan for dealing with incidents like internal and external intrusions, cybercrime, disclosure of sensitive information, or denial-of-service attacks. In typical organizations, the CISO is tasked with developing the Incident Response Plan and managing the Incident Response Team. This is why the questions we will discuss focus on the business value of your incident response, the processes to follow for an effective program, and how the CISO can measure the effectiveness of their IR program.

Cybercriminals are successfully targeting and compromising businesses of every size across all industry sectors. This ongoing digital onslaught demonstrates the need for organizations to be prepared to respond to the inevitable data breach. They should guide their response with a methodical plan designed to manage a cybersecurity incident with the goals of limiting impact to business operations, increasing the confidence of external stakeholders, and reducing recovery time and incident remediation costs. These goals mean that organizations need to require their CISOs to create an incident response program tailored to the company’s strategic operations.

However, many organizations lose sight of their incident response program’s strategic value. Instead, incident response documentation describing how to act in the event of a breach is forgotten and soon out of date. The documentation quickly becomes ineffective for key decision makers; too generic, and unhelpful for making critical, informed decisions. I, therefore, chose the first question for our discussion to be about the business value of an incident response program. As CISO, there will be times when you will need to defend the resources needed for the incident response program, and you will need to be able to describe several business cases that demonstrate the value it brings to the company and its operations.

This leads us to our first question: “What is the business value of an Incident Response Program (IRP)?”

Cybersecurity incidents are on the rise and now frequently headline news around the world. Many of the recent attacks have brought severe damage to organizations of all types, including governments and international nonprofits. An organization with a mature incident response program would have a methodical course of action for responding to these attacks in a fast, effective, and comprehensive manner. However, many organizations do not see incident response as a mature process. Instead, they see it as a collection of disjointed practices and procedures, thus they prefer to contract it out to third parties.

How Incident Response Adds Value

To address this…

Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.