In a survey by training company QA;
- 81% of UK IT decision makers revealed they had experienced some sort of data or cybersecurity breach in 2015.
- 66% said that the breach had led to a loss of data,
- 45% percent said that it had resulted in a loss of revenue, and
- 42% percent said that it had resulted in a PR nightmare for the business.
But, only 57% of IT bosses at breached firms said incidents had resulted in a change of policy and procedure.
Our adversaries are smart, well funded and agile. But we, all too often, are not. Or, as Frode Hommedal put it:
“We have more or less always had soldiers, spies, rebels and criminals. None of these things are new. Yet we seem to have been caught completely off guard when we – after having invented computers decided to connect every single of them to the same network, digitized every piece of information and every service, and then stuck it all onto said interconnected computers — discovered that all those people adopted new technology really well and very quickly
The result? We have opened the gates and brought back raiding and pillaging at a level not seen for a long, long time, at least in large parts of the world.”
Few, even allowing for all of the FUD and vendor hyperbole, can argue with the scale of that risk.
Data Breach Grief
In a recent Braking Down Security podcast about Incident Management a key theme was the criticality of great communications. From a GRC perspective I could not agree more. So many valuable insights gained during incident exercises and real events are never recorded, translated, and fed back into policy, risk and strategy.
In the interview Mick Douglas (DFIR instructor at SANS), and Jarrod Frates (pentester at InGuardians) take a straightforward look at how that works (or doesn’t), in the context of digital forensics and blue/red team activities. More on that later, but part of it pointed out the the eerily close comparison between current breach response and familiar stages of grief.
It’s something that has been pointed out many times before and the graphic is just my personal interpretation.
When it was shared on twitter @TimelessP suggested adding canaries and honeypots as supplements, which led to cautions about hacking back without proper cause, consideration and authorisation. That’s a long ethical and effectiveness debate all of it’s own, but the overwhelming current in the industry is towards more proactive defence.
So the problem is tiringly familiar, as (to some extent) is the solution, but what about motivation for businesses to invest in improvements, and what does incident management maturity look like?
Motivation to make changes
One thing heightening focus on incident response (apart from the dramatic increase in high-profile breaches) is all the cybersecurity legislation moving towards mandatory incident/breach notification. The most high profile existing notification requirements are probably those for the health sector under HIPAA regulations.
Now (under the watchful eye of Safe Harborless US service providers, and any other firm responsible for more than a handful of personal data), we’ve had meaty comparable plans delivered with the new EU Data Protection regulations. Regulations that go on the statute books in 2016 with a planned enforcement date in 2018.
Beyond that there are loud noises from Cyber insurers about enforcing, as yet undefined, good security practices. You can guarantee incident management will be a key focal point. The fallout for falling short? High(er) premiums and waving goodbye to a payout if post breach investigations turn up practices that don’t meet their adequacy benchmarks.
Then, for financially regulated firms, there are the rating agencies. First, in September Standard & Poor, then, in November, Moody’s announced plans to proactively downgrade credit ratings of companies found to have poor cybersecurity controls (acceptable standards are again yet to be defined, but high level proposals are heavy on incident management ‘best practice’).
All adding up to a bit of a strategic security priority perfect storm.
The CSIRT Janitor Dilemma
Even in firms who have invested in incident response capability, too many experts are relegated to the role of ‘SOC hamster’, engaged in a never-ending cycle of security Whack-A-Mole and disappearing down raw data rabbit holes.
Compliance benchmarks (when someone settles on them), will only be of limited use. There are many breached firms who’ve arguably met the letter of security law and regulation, but ignored the fact that benchmarks, by definition, are not tailored to the risk profile of their specific business.
A far more meaningful way to examine incident response capability is in terms of maturity and tested effectiveness in your local risk context.
Most companies take over six months to detect data breaches – ZDNet, by Charlie Osborne, May 19, 2015
A couple of weeks ago, in search of that maturity view, I talked at length to Frode Hommedal (CERT – Computer Emergency Readiness Team – lead at Telenor, Norway’s leading telecoms provider, and veteran of 7 years in Norway’s national CERT), who wholeheartedly agrees. He walked me through this slide deck. A deck he recently presented to specialist peers, one of whom, a former head of the UK’s government CERT, declared it the best thing he had seen in years.
At the core of his model, beyond SIEM output, threat intel, forensics and plugging obvious holes to mitigate immediate incident impact, there’s the communication stack (with permission I’ve taken screenshots of the presentation, so please excuse resolution and darkness).
It represents a model for exchanging meaningful information with technical and non-technical incident stakeholders. Moving beyond incident response to more effective investigation, plus, crucially (if you are at all interested in moving beyond reactive security), translating findings into lessons and risk insights to guide future strategy and IT/security practice.
Fundamental feedback loops that are frequently missing or very, very broken, as indicated by firms suffering from repeat incidents. Incidents often enabled by known vulnerabilities, identified before or after the first breach, and still, when the second hits, waiting to be fixed (see Sony, OPM and TalkTalk breaches for details).
Big contributory factors (Frode persuasively argues): Missing tools, skills and processes needed to to bridge existing communication and response gaps (especially in the Tactical Analysis and risk assessment space). A need to speed effective response (in Frode’s model tightening the OODA Loop – Observe, Orient, Decide, Act). And our slow evolution towards more proactive defense (e.g. red teaming, purple teaming, advanced detection capabilities, asset mapping, smart network segmentation, honeypotting, adversary profiling and more generally translating data into risk relevant information).
That, and Frode’s evolution of the work in progress model, will get a post of its own when I have time to do it justice.
Back to practicalities:
In advance of that and leaving the flippant fun behind, there are many, many existing resources to help up your incident management capability and improve practical implementation. A few are listed below.
- ENISA EU – Actionable Information For Incident Response
- ENISA EU – Good Practice Guide For Incident Management
- CERT – Full range of incident management publications
- National Institute of Standards and Technology (NIST) – NIST SP 800-61 Rev 2 Computer Security Incident Handling Guide, 2012
- International Standards Organization – ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management, 2011
- SANS Institute – The Incident Handler’s Handbook, 2011
- ISACA – Incident Management and Response, 2012
So, given the unavoidable legal/regulatory drivers, evolving threat landscape and undeniable benefits of doing better, isn’t it time to take a long hard look at your incident management capability and what’s needed to to make it fit for purpose to tackle our new cyber realities?