Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • Insights

    The 5 Pillars That Ensure Practical and Sustainable Incident…

    Welcome to the fourth blog in our information security series where we guide you through five pillars that will ensure a successful incident response programme for your organisation.

    In our experience, organisations tend to over-complicate their approach to incident response. The pitfalls we have come across are creating silos, impractical approaches, poor and complicated communication with the business (before, during and after) resulting in ineffective response capability, weak management commitment and little or no resources and agreed plan to act.

    IT incident response is really simple if you approach it clinically. It is about:

    Restoring normal business operations dependent on Information Systems that have been disrupted by some incident, as quickly as possible with minimal impact to the business and preventing similar incidents from having significant impact on the business in the future..

    1. Gain executive support

    You need a simple and effective communication plan to make the executive aware of the overall risk, impact and likelihood of incidents occurring to the Information Systems of the business. Achieve awareness by using strategic language and a manner that is appropriate and relative to an executive. Use language such as AETs, SIEMs, CSIRTS etc. and you will have lost them. However, expressing the impact of downtime of your e-commerce channel in €XX,000’s per hour with an externally validated high likelihood of a sustained outage as a result of significant underinvestment in securing this channel will get their attention.

    What you want from the executive is a mandate for your plan to address those risks proactively and reactively. You also want one or more executive sponsors permanently attached for the sustainability and operation of your incident response plan, as well as your overall Information Security Management System.In our experience, Business Continuity Programmes or Disaster Recover programmes are terms and concepts that executives are more than aware of at a business governance level. Therefore they typically gain easier acceptance and sponsorship.
    IT and IT security often miss an opportunity to “Trojan horse” the broader set of security risk/incidents and incident response under BCP or DRP umbrellas (and budgets) by being too narrowly focused on “disaster” scenarios only, rather than including all important information security incidents that have potential to significantly impact the business.

    2. Defined agreed objectives and scope

    Organisations that have mature Incident Response capabilities typically have crystal clear objectives for their response plan and understand the scope of the systems and processes that need to be managed under the plan. They can also articulate relevant objectives to all levels of the business in a compelling fashion.

    3. Documented, communicated, workable process and plan

    Your organisation’s Incident Response process and plan should be well documented and communicated. It should be backed by simple policy and procedures and cover all of the following major phases of incident response, which we detail below.

    Communication Phase

    This is not so much a distinct phase, rather a critical requirement through all phases , including prior to the incident. An effective communication plan tells the right people when things are normal and when they are not. It tells the right people the right amount of information at the right time. A good plan won’t over-dramatise events as this risks “crying wolf” syndrome. It should also tell people what is needed or what they need to do at key points in time and it should follow up and close the loop. Communication should orchestrate the plan when an incident is occurring.
    Information Security should take their lead from other compliance roles – such as health and safety. Our Incident Response communication plan should also communicate the effectiveness of your prevention/deterrence actions by outlining how long you have been without significant Information Security incidents. That way information security and your Incident Response plan stays on the agenda all the time!

    Detection Phase

    Review your detection mechanisms to ensure you are minimising your exposure time and that the incident is real i.e. not a false positive

    Assessment & Triage Phase

    Figure out what is going on and determine immediate actions to try and achieve your objectives. Remember the typical goal is restore services in the shortest time with minimal impact. There may be a low risk quick fix to do this without waiting to follow subsequent phases. However the Hippocratic oath is relevant in this context. Whatever you do “first do no harm”.
    This phase might also need some level of detailed forensic investigation to try and pinpoint the problem source and impact and possibly preserve evidence to legal, civil or compliance litigation purposes.

    Mitigation Phase

    Once you have a fuller picture of what is happening, work to put in place a sustainable solution to address the problem. Speed is typically of the essence to minimise impact so you may need a phased plan for short and longer term mitigation.

    Recovery Phase

    Recovery is the execution of the process to restore BAU, business as usual, enabled by the mitigation.

    After Action Review Phase

    Continuous improvement means that once you have learned key lessons from the incident, the organisation takes the lessons on board and puts in place the necessary systems, resources and processes to prevent similar incidents occurring or having impact in the future.
    CISOs or CIOs can usually make the “unanticipated incident” justification for significant events, once or maybe twice in their careers within an organisation. Organisations and their IT function have traditionally been shy about sharing the fact that they have had a security incident whether within the organisation or with affected parties. As part of “changing the conversation” (link to previous blog)wouldn’t it be really refreshing to get an email from your service provider along the following lines

    “Dear valued customer,
    Today we had a sustained outage of over 2 hours resulting from a denial of service attack originating from a compromised set of computers in data centres in Asia, targeting our online store. From our investigations none of your data was compromised during the incident as the result of strong security measures that we have put in place since our inception. Since the denial of service attack, we have further revised our other perimeter security solutions and we have put in a best of breed DDoS service.
    Though similar and other attempted attacks are continuing, our service is back to near normal. We will continue to work with our ISPs and local and regional law enforcement to ensure the continued protection of your data in any future security incident.”

    I would trust and value that level of honesty from my internal or external service provider far more than sustained silence or a one line notification of an outage with an apology.

    Pillars 4 and 5

    We’ll leave you with that wealth of information this week. Next week, we bring you the final two pillars that will ensure practical and sustainable incident response. In the meantime, follow our posts on Twitter and LinkedIn to keep up to date with information security.

    Insights

    What An Incident Security Plan Could Mean For Your…

    Welcome to our third blog in this short series which takes a look at the varying costs of security incidents, which depend on the strength of the response put into place. Well documented research and evidence from reputable organisations  Incident response plansuch as Ponemon points to the all-in costs per record of a data breach/data loss incident – ranging up to €160 per record per incident – for organisations that don’t have a well documented and rehearsed security incident response plan.
    Bringing Down The Cost
    For organisations that invest in well-developed and rehearsed security response plans prior to the loss or breach – they can potentially bring those costs down to an average of €13 per record breached or lost.
    So the range of costs for say a 20,000 record breach would be €3.2M for a company with an immature incident response plan to €260,000 for an organisation with a mature incident response plan. Both sets of cost are significant, however it is up to 20 times more expensive for the same scale of breach for organisations with an immature incident handling process.
    In Our Experience…
    Our experience of helping customers to respond to such incidents backs up this research. Responding to incidents where an organisation is not prepared is typically a car crash scenario. Unplanned reactions in a lot of cases aggravate the incident both at a technical and business level. How many clumsy media statements have we seen from organisations undergoing an incident?
    Anxious to respond to the media pressure of the initial incident, they later have to row back with press releases and customer communication details, confirming that they don’t know the basics of what, how, how many, who, when or for how long?
    Helpful Response Plans
    Helping organisations who have a thorough, documented, rehearsed and maintained incident response plan is different. The incident still happens, but the organisation goes through phases of incident response in a structured and well executed manner.
    People throughout the business understand their roles and responsibilities. Communication channels are clear. External agencies and suppliers are identified and notified. Legislative responsibility is understood. These organisations typically minimise their exposure time, minimise the likelihood of aggravating actions, minimise data loss and restore normal service and business faster.
    They also usually preserve or maintain digital evidence so the event can be investigated properly, and prosecutions civil, criminal or other can be brought successfully if required.
    Competence Intact
    Most importantly, despite a potentially damaging event, the organisation appears competent thus reassuring their customer and partners, and stands a better chance of surviving the incident and improving their security processes in the future.
    Next Week…
    We talk you through what your Incident Response plan should include and how best to maintain it.

    Insights

    What It Takes To Really Protect Your Data

    information security in business
    Information security in business

    As security professionals, we understand and focus on proactive and reactive security measures and technologies, concentrating the majority of our efforts on trying to prevent and detect incidents. We understand and are comfortable with prevention technologies such as firewalls, perimeter gateways, endpoint protections technologies, DLP and IPS systems.

    Familiar Focus

    We are familiar with auditing and testing the environments, writing policies and training users. We then tend to focus our next effort on detection solutions such as IDS, Quarantine/AET/APT SIEM systems.
    Psychologically these detection solutions are less appealing to us as they are an explicit acknowledgement that our prevention strategy will most likely fail. Nonetheless we are keen to detect in order to reduce our exposure time and minimise the impact of breaches. All of these solutions and services may be perfectly valid, appropriate and justifiable to help reduce the impact of likely security incidents as part of a structured Information Security Management System.

    Response

    The area that tends to receive least focus is “the respond” piece. Organisations develop and rehearse Disaster Recovery plans either on their own or as part of business continuity plans because financial auditors and insurers mandate it. Organisations tend to leave their respond efforts there – compliance box ticked.

    Disaster recovery response planned is for one specific scenario for a set of specific security incidents. There are lots of other security incidents such as data breach or data leakage, malware or ransomeware outbreak and loss of critical service incidents (accidental or DOS/DDoS) that might not require or invoke any disaster recovery protocols. They still warrant a carefully documented and rehearsed IT and business-wide response.

    Next time..

    In our next blog, we use our specialist security knowledge to tell you the importance of a thorough, reliable incident security plan.

    Insights

    Change The Conversation From “If” to “When” And Save…

    Information Security: Protecting Your Future
    SECURITY
    Welcome to our four-part series on information security in business. We discuss security risks, managing an incident and preventing serious damage to your organisation while keeping your competence intact.
    Using our extensive experience, we show you potential savings that come with a thorough security incident plan. We will also let you know what your Incident Response plan should consider and how best to maintain it.
    Across each blog, we use our significant security expertise to guide you in making the best decisions when it comes to protecting your organisation.
     

    Part 1: Change The Conversation From “If” to “When” And Save Your Business Significant Costs

    Welcome to our first information security blog. Since the onset of information security wisdom, the conventional conversation between most of the information security roles I know and their business has been varying versions of the following theme – “Give me some of the IT and risk management budgets so I can buy differing sets of information security technology and services to prevent a security incident from seriously hurting our business”.
    Budget and Expectations
    Statistics point to the outcome of that conversation resulting in organisations allocating between 3% – 8% of their IT budgets specifically to Information Security. My experience is that typical C Level comprehension of this conversation is that this spend should provide a near bulletproof fortress for their organisations Information Systems and data. Unsurprisingly when a significant security incident then occurs, my experience is that C level reaction ranges from disbelief, indignation, denial and, in some cases, scapegoating of IT recipients for wasteful or ineffective spend of this budget. In fairness to C level – they are not entirely to blame for these mismatched expectations.
    Plain English
    When is the last time as an Information Security professional you have sat down with C level colleagues (during the limited windows of time you have their attention) and said in plain English – “I need a minimum of 6% of the IT budget to appropriately address our identified Information Security risks for the coming year. Just so we are clear, this budget – nor indeed any amount of budget, technology or services – will not prevent one or more significant Information Security incidents happening to our business in the short to medium term.”
    From “If” To “When”
    If we shift the conversation with the executive in our business from a vague “if it happens” to a direct “when it happens” in plain English then there can be no ambiguity. Statistics back up this “when” assertion. 43% of respondents to a Ponemon 2014 study indicated that their organisations had a data breach within the last 12 months, up from 33% in 2013.
    Significant Security Incidents
    A data breach is just one form of a significant security incident, with other events such as significant critical service outages (accidental or deliberate), significant malware outbreaks, data loss (non-disclosure) not being included in these figures. Statistics from the UK Department for Business Innovation and Skills show that when all major security incidents are counted, upwards of 81% of large businesses had a security breach in 2014. This is not a comfortable admission for an information security professional, nor is it an admission that an executive necessarily wants to hear. It’s easier to pretend that all is and will be okay and that our spend and efforts will ward off all information security ills.
    Justifying The Budget
    So how do we now justify the information security budget and our roles in light of the fact that we most likely can’t prevent a significant breach happening? Well you finish the last conversation with the business executive along the following lines

    “and when I get that budget we will spend it on a mix of proactive and reactive security measures, technologies and services. This will prevent, detect, mitigate and respond to information security incidents when they happen on a prioritised basis in discussion and agreement with the business, our partners, our customers and our insurers.”

    Our next blog instalment
    We take a look at types of security incidents and what it takes to protect your data.