Incident response will continue to be an important cyber security priority for many organizations in 2018. We took a moment to get some deeper insight into the incident response landscape from Delta Risk Senior Consultant Ryan Clancy.
Here’s part I of our incident response discussion.
Dev: It seems like the tide is shifting and we’re seeing more organizations trying to allocate their resources to incident response, whether through internal or external means. Is that something you’re seeing?
Ryan: I agree, I think there has been a switch to focus more on incident response because you’re getting the most bang for your buck. You can buy a hundred different tools to do a hundred different things but there are ways for the bad guys to navigate around those tools. They’re going to find a way to get inside somehow.
As a defender, you need to be right all the time; an adversary only needs to be right once. The odds are against you as a defender. Therefore, the odds are you will have a cyber security incident at some point. That’s going to affect the functionality of your business, the confidentiality, integrity, or availability (CIA) of your information, and the recoverability of your data and business processes. Reputational harm is also another area of concern, although the impact will vary depending on your business.
For every dollar you devote to incident response, you invest in people, processes, and technology to not only resolve an incident but to improve your steady-state security capabilities. It’s like buying a jet ski that you will use for fun, but you’ll also be riding it to work. By the way, if you are looking for any last-minute gift ideas, I’d like a jet ski.
Dev: How are organizations devoting their resources to handle incident response? Are managed security services a good option? Is there a split between handling incident response externally and internally?
Ryan: That’s a good question – the answer really depends on industry, customer size, and geography. Some geographic regions have a harder time finding cyber security talent versus others, so they might need to outsource their requirements. The answer may not hit you like a D battery in the face so, I encourage you to round up your staff, risk managers, and even an outside consultant to help you figure out what solution would work best. The solution can be everything from building your own SOC to outsourcing to an MSSP – or some combination of options. “Doing nothing” should be on the table as well, though even if you have a high-risk tolerance, I think this solution will be untenable.
Dev: Are organizations properly budgeting for incident response? How do budget needs impact incident response effectiveness?
Ryan: If we’re talking about a steady-state plan for incident response, I’ve seen the residuals of higher budgets. For instance, I’ve seen higher investments made in people and technology. People and technology can be tradeoffs. Sometimes you can find a technology to substitute for a person, but it’s not always a one-to-one substitution.
Sometimes I’ve seen imbalances between people and technology, where there are organizations that have enough technology to sink a cruise ship but not enough knowledgeable people to operate that technology. Given the shortage of cyber security professionals, there has been more demand for technology to fill that gap, so we are seeing smarter technology with more automation.
That pressure has been good and bad. It’s been good because this technology is generally being put to use, but it’s been bad because there are a lot of dollars chasing after these products. The products don’t have to be great, but people will still buy it.
Dev: What are some of the common questions you get from clients about incident response?
Ryan: First off, who should be involved? That’s always a common question. Who should be involved and when? Those two questions are number one and number two on the list. There’s no standard answer. I have to find out more about what the organization does and identify the key players. Those key players need to be identified across all operational networks.
For instance, some companies have a factory enclave network or administrative networks – typically, those are separated. If you work for energy production or water production, the industrial control system (ICS) will absolutely be separated. You need all of those players together when considering an incident response plan. When an incident happens in one network, the other network needs to be alerted and perhaps even respond. Additionally, having non-technical stakeholders such as public affairs and human resources involved is critical.
Another big question I get: “When do I involve the police department and law enforcement?” If you foresee pressing charges in the future or if you want to collect evidence to press charges, they should be involved. Usually your legal advisor will make that decision, so get your legal advisor involved early to help you determine whether you should collect evidence and press charges.
Collecting evidence takes time and slows down your response process. It takes time and resources because you need to collect the evidence in a forensically sound way and preserve it using chain of custody practices. Those steps aren’t free, cheap, or easy. It can be an additional burden to resolve an incident.
Dev: Depending on the type of incident a business is facing, it sounds like there can be a lot of people involved and that can complicate the process of remediation.
Ryan: There’s a sweet spot of people who should be brought into the incident response process. Should you include only your technical staff? No. Should you involve everyone? No. Both ends of the spectrum are wrong. I’ve worked with companies who want to drag in everyone and their hairdresser and psychic the second an SQL inject is detected. In contrast, I’ve seen other companies that have failed to include their HR department even when an incident involved an inside employee.
Also, it’s going to depend on what’s going on with the incident. For example, a lot of companies have cyber insurance. I highly recommend having your cyber liaison involved earlier rather than later. Notification to your insurance provider is a critical metric – they aren’t going to start covering your expenses until you notify them, even retroactively. Recently I’ve noticed some policies will cover retroactive incidents. I just read a policy a month ago that covered retroactive incidents up to 10 years in the past. I was really surprised to see that – I knew they were out there, but that was the first time I saw it in the wild.
Dev: What are some of the common mistakes you’ve seen?
Ryan: I can tell you the most common mistake I’ve seen, which is not communicating with internal staff when there is a cyber security incident. Most organizations are composed of people, and people want to talk. That’ll foster an environment where rumors spread. To squelch those rumors upfront, don’t simply tell employees to stay quiet. That won’t be feasible. I recommend telling employees whatever truth you have at the time. You will have performed an investigation by this point; let your staff know as much as you can while you’re still figuring out all the facts. Make employees feel a part of what is going on and make them aware of how they can help.
I not only recommend being transparent with your internal staff, but also providing them with talking points to answer questions from the press. If the press finds out about the incident, they’re not going to want to talk to public relations outside of your building – they’ll want to talk to the people leaving the building after work. Maybe that talking point is “no comment,” but you need to reinforce that point. This just takes the tension off of everyone when reporters swamp your parking lot.
Stay tuned for Part II of our Q&A with Ryan, as we explore his thoughts on incident response playbooks and key trends he sees for 2018 and beyond.