[BreachExchange] CISOs, does your incident response plan cover all the bases?

Destry Winant destry at riskbasedsecurity.com
Mon Nov 4 10:12:58 EST 2019


https://searchsecurity.techtarget.com/opinion/CISOs-does-your-incident-response-plan-cover-all-the-bases

Security incidents are a reality you face as a CISO. There's just no
way around it. You say you're up for the task, but are you truly ready
for things to go sideways? When the going gets rough (and it can get
pretty darned rough in the middle of a big incident!), do you know
what you're going to do -- your first step, your second step and so
on? Will you know where to turn, who to call on and how to lead the
charge? Incidents are complicated, but given the threats and
vulnerabilities your business faces, they're not uncommon. How things
shake out is up to you.

We've all experienced moments that are life-changing. Your job as an
information security leader is to ensure these moments are not
security incidents and breaches.

I recall hearing Dr. Phil McGraw say something many years ago that
really stuck with me in terms of security and incident response. It
was about parents involving their children in adult issues. Dr. Phil
said that you shouldn't pull your kids into grown-up conversations and
situations associated with marriage, money, health and the like. Since
children look up to their parents to see if all is well with the
world, pulling them into complicated issues that they cannot solve
only serves to harm their young minds. Being a parent myself, children
really do look up to you to see how you're going to handle those
difficult situations that crop up on a seemingly daily basis. And the
older they get, the more they watch.

This is where security and incident response come in.

You see, a security incident will be your testing time. And everyone's
going to be watching: board members and executive management, your
peers and your subordinates. Lots of people will be looking to you,
the CISO, to solve the problem that lies before you. Not that this is
a bad thing. Well, it can be a bad thing if you set it up that way.

Have you truly stopped to ask yourself: What is your biggest concern
regarding security incidents? Have you pondered what the greatest
weakness is in your security program and how that might just
facilitate an incident? There's at least one big thing, likely many
things, holding back your incident response efforts. It's up to you to
identify these impediments so that you can get started addressing them
before they bring about an impactful security event.

You probably don't have to look too far. Most incident response
situations are the result of one of three things:

not addressing the simple stuff before the bad guys find it and exploit it;
not preparing, well in advance, for common incident scenarios; and
not taking the time to get the facts and jumping to conclusions once
an incident does occur.

I've found that many people find more perceived value in "proactive"
security controls. It makes sense, but you have to be careful to not
spend money on areas of security that might not need investment. Maybe
you have enough security products and services. Perhaps your security
audits and your vulnerability and penetration testing are about as
good as they're going to get. There's seemingly always room for
improvement in terms of security, but it never seems to come in the
form of incident response initiatives. This is especially true as it
relates to the following:

Inventory: Knowing what's where. From my conversations with technical
staff and business managers, it's clear to me that no one really knows
what information is where, much less how it's at risk.
Visibility: Having enough of it to make quick decisions. Many people
assume they'll be able to quickly review their logs and comb through
the necessary parts of the network once an incident occurs. But
usually there are two problems with this assumption: IT pros don't
know where to start once an event arises, or they don't have the
proper systems and controls in place to get the information necessary
to execute a proper response.
Education: Training team members on their role. This includes what to
look for, what to look past, and how to promptly and properly use
security tools during the investigation process.

We've all experienced moments that are life-changing. Your job as an
information security leader is to ensure these moments are not
experienced at work in the form of security incidents and breaches.
This comes through building day-to-day habits -- how you view and
learn from your internal experiences as well as how you perceive other
people's security incidents and breaches.

When it comes to security incidents, Robert Frost was correct when he
wrote "the best way out is always through." True, but to get through,
you still must be prepared. What's important is how much you've
prepared and how efficiently you can step through the necessary
processes to see it all through.

Inertia is a powerful thing. It can prevent you from getting the
things done that need to be done. Likewise, the desire for immediate
gratification -- chasing down this or that security tool without
focusing on what's important -- is also powerful. As a CISO, the
ultimate goal should be to find your most pressing incident response
gaps and plug the holes as soon as reasonably possible. I'm not
convinced that incidents have to occur. But, when they do, you'd
better be ready.


More information about the BreachExchange mailing list