Incident Response Strategy: Determining Where to Invest
It can be hard to plan for a security incident if you’ve never experienced one first hand. Incidents involve unauthorized access, denial of service, presence of malicious logic, and improper usage. As an incident responder, I’ve seen plenty of these situations play out.
I was fortunate earlier this year to share some of my experiences and lessons with the top-notch professionals attending the LegalCIO conference in New York, where we hosted a round table covering “Is Your Organization Prepared for a Cyber Attack? Key Takeaways from Real-Life Incidents.” The discussion focused on lessons learned from real-world scenarios, and whether the attendees were truly prepared for a cyber-attack.
This conversation led participants to start talking about how effectively they were allocating their security budgets, and whether those investments would pay off during an incident.
How Do You Know You’re Investing in the Right Security Measures?
If you’re making investments in cyber security, your organization has the foresight and initiative to protect your most critical assets. That’s the good news. Unfortunately, knowing where to direct those funds so you’re investing in the most effective security tools and processes can be a challenge all on its own. Making poor investment choices can leave you vulnerable and can lull you into a state-of-mind that everything is going great when it’s not.
First, make sure you’re devoting those cyber security dollars to the areas of highest business risk. This means reviewing how your business depends on your network, systems, and cloud environments.
Next, determine which cyber-related threats could endanger those systems. You’ll need to go through some “what-if” nightmare scenarios and ensure that you have the capabilities in place to prevent, detect, and respond to those threats. What does an incident involving that system or data look like, and are you equipped to handle it?
Lastly, like any other business goal, your investment should cover three areas of focus: people, process, and technology. Assess your organization’s security program across these dimensions and invest in areas where you’re weakest.
Among organizations with any security investment at all, I commonly see heavy investments in technologies that are being poorly implemented because of lack of trained people that don’t have any good processes.
How Do You Know You’re Getting What You Expected from the Investment?
Continually assess the capabilities of your security team to make sure that you’re getting what. It is especially dangerous to assume that the recurring fee you’re paying to some IT or MSSP vendor covers all your cyber security needs.
I’ve seen too many instances where a vendor claimed to provide “security monitoring” and yet they could not provide something as simple as firewall or authentication logs during an incident. I’ve also seen places where the IT administrator was expected to deal with incident response tasks they were ill-equipped to perform.
Whether your cyber security team is internal or outsourced, this much is the same: assess, assess, assess! There’s a dizzying array of options: penetration tests, vulnerability assessments, audits, compromise assessments, functional exercises, table-top exercises, but they all serve a purpose, and can all be tweaked for exactly what you’re trying to evaluate.
For example, if you’re concerned that your security provider won’t measure up when you have an incident, then conduct a “silent” penetration test. Have a red team safely generate the incident scenario that you’re concerned about.
Your security team may or may not detect the incident, but that’s not the whole story — even the best defenders can be blind to a good offensive team. Instead of stopping there, keep the scenario going and see if they’re able to give you the answers and support you expect when things start getting chaotic.