Top 5 Tips for effective Incident Response

What is an incident response plan?

An Incident response plan is systemic, documented, communicated and ideally rehearsed approach to prepare for, detect, contain and recover from suspected Information or Cyber security breaches

So from Ward Solution experience in a wide variety of sectors these are our top 5 tips to putting in place an effective incident response plan:

1. Cyber Incident Response is a whole of business issue – A cyber event usually impacts significant parts of or whole of business. Organisations that relegate cyber incidents to being a technical issue to be dealt with by IT or the CISO risk a rude awakening and a very ineffective and costly impact to the organisation. Business needs to treat cyber risk and cyber incidents as a potentially critical whole of business risk and devote the necessary focus, resources and time to risk assessing, mitigation planning and incident planning and rehearsing. The IR team needs a reflective set of business and technical resources empowered to make decisions and take the necessary actions to manage the incident. When an incident occurs the business needs to react in a coherent, orderly, structured uninhibited way that can only occur when the entire business is highly familiar with their roles, responsibilities, processes, obligations and tools that comes from a well thought out, documented and rehearsed incident response plan.

2. A pint of sweat is worth a gallon of blood.  This is a maxim attributed to General George S. Patton, one of the most effective Word Ward II Generals. Putting in place proactive incident response plans and rehearsing them across the business via table top exercises, red or purple teaming exercises seems like unnecessary sweat and toil from the calm collected vantage point of business as usual environments. Trying to invent and operate incident response roles, processes and playbooks in the middle of a real life critical incident is a sure-fire way to cost the organisation a lot of money, customers and often threatens businesses viability or survival. Putting these planning and rehearsal activities on the long finger or short changing them usually means that an incident creeps up on an organisation before they are ready or when they are complacent that they have the processes in place when they actually lack the robustness that is required.

3. Make sure the incident response plan is systemic . Ensure that you use a recognised, best practice incident response lifecycle of the following typical stages:

• Preparation – prepare the plan in advance, identifying roles, responsibilities, processes, procedures, escalation matrices, resources including service providers and partners
• Prevention – put in place preventative measures to either prevent an incident occurring in the first place or minimise the impact of an incident once it occurs
• Detection – put in place measure to detect as early as possible indicators of an incident or the actual incident occurring – in order to minimise recovery time and shorten exposure time of the organisation to the incident
• Analysis – put in place the tools, resources, services to analyse incidents and offences to determine if real or simply false positives. Once an incident occurs have the tools and capabilities to determine what has/is happening so that you can respond appropriately.
• Containment – ensure you have the data, tools, resources and skills to contain the incident, preventing it spreading, escalating, inflicting further damage
• Eradication – again ensure you have the data, tools, resources and skills to eradicate the incident. Eradication timelines range from instantaneous to weeks, depending on the nature, scale and complexity of the incident
• Recovery – recover your services, data to normal or as near normal as possible operation
• After action review – review the origin, nature and impact of the incident. Review controls and mitigation to prevent or minimise these incidents reoccurring or the impact reoccurring. Also review how your incident response processes and protocols performed during the incident, using the opportunity continuously improve.

4. Put in place the proper resources, tools and partnerships – you need a rich set of tools and capabilities to be able to respond to and manage the wide range of incidents that may occur whether accidental or deliberate. Most organisations cannot afford the costs or focus to put in place, own and manage all of the specialised skills required. Selective outsourcing and partnership of capability, services, resourcing etc makes sense provided these outsourced or partnered resources or service match the responsiveness that may be required and are backed by service levels etc.

5. Incident response doesn’t end when the incident ends – a lot of focus on incident response is the restoration of normal service as soon as possible. A lot of organisations want to breathe a sigh of relief, sweep up the incident detritus and move on with business as usual. However a structured after action review of the origin, nature, artefacts and outcome of the incident offer an organisation the opportunity to continuously improve their risk register, threat intelligence and their incident handling and response processes.

Top 5 reasons to have an incident response plan

Remote working has been a significant societal and technology trend for the last decade but has been almost fully established by rushed necessity as a result of COVID19. Whilst Remote Working From Home (RWFH) offers significant benefits in terms of flexibility, productivity, business continuity the rush to establish the service and the criticality of the services and infrastructure upon which it depends means that organisations need a comprehensive incident response plan to protect the service, its users, customers and the organisation from any security incidents that might occur.

What is an incident response plan?

An Incident response plan is systemic, documented, communicated and ideally rehearsed approach to prepare for, detect, contain and recover from suspected Information or Cyber security breaches.

Proactive versus Reactive incident response

“A pint of sweat is worth a gallon of blood” – General George S Patton.

Planning, anticipating the threats and risks to your organisation and putting in place mitigation plans in advance is good practice.  Documenting these plans and your incident response protocols is even better. Communicating and rehearsing these plans with relevant stakeholders is best practice. If you rehearse the key members of your organisation and partners they will have “muscle memory” when a real incident occurs. You are not winging it, hoping it will somehow work out due to the brilliance or luck of your team. The cyber security landscape is littered with case studies and youtube videos of how not to manage an incident response. It is fair to say that a lot of the organisations involved did not have best practice incident response planning or protocols in place prior to or during the incidents involved.

So what are the top 5 reasons you should have an incident response plan

1. How an organisation responds to an incident determines the impact and progress of that incident. The Ponemon Institute Cost of a data breach report 2020 cites the average cost to an organisation of a data breach, just one of the many types of cyber security incidents that might occur, at $3.86M globally. The same report identifies that the highest cost saver to an organisation in the event of a data breach was having an Incident response team in place with a tested Incident response plan. This action saved about $2M in overall incident costs for an organisation that has this team and a rehearsed incident response plan in place versus an organisation that doesn’t. In plain English – having an effective incident response team and plan in place saves you significant money, time and collateral damage when an incident occurs.

2. Your customers expect you to have an incident response plan– The Ponemon Institute Cost of Data breach report estimates that lost business as a result of a data breach accounts for 39% of the overall data breach cost to an organisation. A Forbes Insight report found that 46% of organisations had suffered damage to their reputation and brand as a result of a data breach. B2B customers increasingly are doing due diligence, risk and compliance assessments on their supply chain either at on boarding stage or as part of routine supply chain assurance for existing suppliers. Having a mature incident response plan as part of an overall information security management system helps win or retain your customers.

3. Your board and shareholders will expect you to have an incident response plan A severe cyber security breach for a typical FTSE 100 company equates to a market capitalisation loss of on average 1.8% or an average of £120M, according to an economic study from Oxford Economics. Your organisations board and its shareholder obviously expect that an organisation is doing its utmost to protect shareholder value. Financial analysts, venture capital firms and credit rating agencies are factoring in cyber security readiness into the methodologies by which they assess, recommend and score firms. Incident response planning, rehearsal and activation are foundational to any cyber security readiness, operations and cyber maturity assessments. Having a mature incident response plan as part of an overall information security management system helps protects your shareholders and your organisation.

4. Your insurers will expect you to have an incident response plan – Your insurers are one of the ultimate arbiters of risk. Their assessment backed up by industry data is how they decide whether to insure you and how to price your policy. Most B2B insurers now have detailed assessment of your information security and cyber security maturity not just for specific cyber risk policies but also for your general insurance policies. In a lot of cases your level of cyber security maturity are some of the determining factors in whether they will offer your organisation cover, for what occurrences, at what levels and for what price. A key element of that assessment is whether you have appropriate disaster recovery and incident response plans in place as well as assessment of information security incidents that have recently occurred. Having a mature incident response plan as part of an overall information security management system helps you get, retain and utilise economic levels of insurance.

5. Your regulators and auditors expect you to have an incident response plan – very few organisations operate in unregulated environments. Most regulators expect and increasingly mandate that their regulated entities have mature information security systems in place. Financial Auditors have obligations and standards to assess the true performance and financial nature of organisations, including the application and operation of financial risk management and financial controls. A key part of this Information Security Management System (ISMS) will be disaster recovery planning (DRP) and incident response planning (IRP) to safeguard the customers/consumers that these regulated entities service and in numerous cases to ensure ongoing safe service provision to these consumers/customers. Having a mature incident response plan as part of an overall information security management system helps you become more financially secure and compliant with general, industry specific and financial compliance obligations.

Build a Secure Remote Connection Solution for Today’s Business

Many organizations use virtual private networks (VPNs) that function like a tunnel back to the company network, but relying exclusively on a VPN has security risks. Even after the pandemic ends, CISOs are going to need a better strategy for supporting telework because it’s likely that many employees will continue to work remotely at least part of the time. Given the limitations of VPNs and the dynamic and distributed nature of today’s networks, it’s clear that a better solution is needed. Zero-trust network access (ZTNA) is the evolution of VPN remote access. It simplifies secure connectivity, providing seamless access to applications no matter where the user or the application may be located.

The recent rise in remote working has put a spotlight on the limitations of virtual private networks (VPNs). For years, VPNs have been the de facto method of accessing corporate networks, but they have some serious drawbacks, particularly in terms of security.

The biggest issue is that a VPN takes a perimeter-based approach to security. Users connect through the VPN client, but once they’re inside the perimeter they often have broad access to the network, which exposes the network to threats. Every time a device or user is automatically trusted in this way, it places an organization’s data, applications, and intellectual property at risk.

In addition to the issues using a VPN for remote access, network operators are looking for a better way to secure applications. Having some applications on the cloud and some on-premises makes it difficult to deliver a common method of control and enforcement, particularly when some users are on-site and others are remote. Deploying applications to the cloud can expose them to probes from unwanted actors and increases risk.

Going Beyond the VPN
Zero-trust network access (ZTNA) offers a better remote access solution that also addresses concerns related to application access. The term zero trust means exactly what it sounds like. With this security model, the assumption is that no user or device is trustworthy, and no trust is granted for any transaction without first verifying that the user and the device are authorized to have access.

Because ZTNA starts with the idea that location does not grant a level of trust, where a user is working becomes irrelevant. The same zero-trust approach applies no matter where a user or device is physically located. Because any device is considered to be potentially infected and any user is capable of malicious behaviour, the ZTNA access policy reflects that reality.

Unlike a traditional VPN tunnel with unrestricted access, ZTNA grants access per-session to individual
applications and workflows only after a user and/or device has been authenticated. Users are verified and authenticated to ensure they are allowed to access an application before they are granted access. Every device is also checked each time an application is accessed to ensure the device meets the application access policy. Authorization uses a variety of contextual information, including user role, device type, device compliance, location, time, and how a device or user is connecting to the network or resource

With ZTNA in place, once a user has provided appropriate access credentials such as multi-factor authentication and endpoint validation and is connected, they can then be given what is known as least privileged access. The user can access only those applications that they need to efficiently perform their jobs and nothing else.

Access control doesn’t end at the access point. ZTNA operates in terms of identity rather than securing a place in the network, which allows policies to follow applications and other transactions end to end. By establishing greater levels of access control, ZTNA is a more efficient solution for end-users and provides policy enforcement wherever needed.

Although the ZTNA authentication process provides points of authentication, unlike a traditional VPN, it does not specify how that authentication takes place. As new or different authentication solutions are implemented, they can be seamlessly added to the ZTNA strategy. New authentication solutions may do things like help eliminate issues related to weak or stolen passwords and credentials, address challenges due to the inadequate security of some Internet-of-Things (IoT) devices, or add extra levels of verification to access sensitive or confidential information or critical resources.

ZTNA vs. VPN
For users, ZTNA is easier to manage than a VPN. Users no longer have to remember when to use the VPN or go through the process of connecting. There’s also no risk of tunnels accidentally being left open because someone forgot to disconnect. With ZTNA, a user simply clicks the application and immediately gets a secure connection whether the application is on-premises, in a public cloud, or on a private cloud. This tunnel is created on-demand, transparent to the user. Because the network is no longer a zone of trust, the same tunnel is created if the user is on the network or off the network. The encrypted tunnel happens in a transparent manner, providing security in the background.

On the application side, because the user is connecting back to the enforcement point and then proxying that connection to the application, the application can exist on-premises, in a private cloud, or in a public cloud, all while hidden from the internet. The application only needs to establish a connection with the enforcement points, keeping them safe from prying hackers or bots.

ZTNA and the Future
Adopting a zero-trust approach to cybersecurity is a process that touches many systems and may take years for many organizations to fully implement. But addressing remote access is a good first step toward implementing a complete zero-trust solution. As companies transition their approach to remote access, they often have a mix of VPN and ZTNA. Many vendors providing ZTNA services are doing so in conjunction with SASE services. This service-initiated approach makes it easy to control cloud applications access from cloud security, but it can incur expensive SASE charges and maybe limited in the types of applications it can support.

Building a complete zero-trust network access solution requires a variety of components: a client, a proxy, authentication, and security. Often these solutions are provided by different vendors and the components often run on different operating systems and use different consoles for management and configuration, so establishing a zero-trust model across vendors can be difficult or impossible.

By selecting integrated and automated tools, CISOs can overcome the key challenges of implementing ZTNA. Using an integrated firewall-based and SASE approach, they can employ ZTNA capabilities with simplified management using the same adaptive, application access policy whether users are on or off the network. ZTNA can be applied to remote users, home offices, and other locations such as retail stores by offering controlled remote access to applications that is easier and faster to initiate while providing a more granular set of security protections than traditional legacy VPN

Secure Remote Access With ZTNA
With the increase in remote work, the limitations of traditional VPNs have become clear. The more people move  and work from anywhere, the less secure a traditional perimeter-based approach becomes. Every time a device or user is automatically trusted, it places the organization’s data, applications, and intellectual property at risk. ZTNA solutions are a better way to secure remote access than traditional VPNs and also improve controls around application access.

*In partnership with Fortinet

1 Kim Parker, et al., “How the Coronavirus Outbreak Has – and Hasn’t – Changed the Way Americans Work,” Pew Research Center, December 9, 2020.
2 Mike Wronski, “Since Remote Work Isn’t Going Away, Security Should Be the Focus,” Dark Reading, September 24, 2020.
3 “2019 Zero Trust Adoption Report,” Cybersecurity Insiders, November 2019.

Top 5 Tips for sustaining your remote risk assessment…

Organisations are subject to ongoing risk, whether from their remote working systems or process, from the implementation of new systems such as a cloud based ERP, to changing business or economic environments, e.g. the risks associated with COVID19

Risk Management is a system and process that requires continuous application and needs sustainable practices in order to be continuously effective. From Ward Solutions 20 years’ experience helping organisations manage their information risk, these are the top 5 tips that help us help our clients to sustain their risk management programs

So what are the top 5 tips to sustain your remote working risk management program

1. Treat this remote working risk assessment as a small part of a larger journey not a destination – A one off risk assessment and remediation project is of very limited value. You need to position your remote working risk assessment as one part of a bigger and more comprehensive, continuous risk management program and process. Risk Management is a continuous process of assessing risks, tracking and managing your remediation program(s), verifying your controls are in place and working, reassessing already identified risks, looking for new risks, fixing noncompliance, performing after action reviews to incident. Keep your risk register alive, up to date, and accessible.
2. Embed Remote Working Risk assessment into your overall Risk Management system and onwards into your SSDLC – Your remote working risk assessment and risk management exercise is just one part of and needs to fit into an overall organisation risk management system. Whatever systems development model you use Waterfall, Agile, DevOps etc. – you need to embed risk assessment and risk management into this lifecycle. Conceptualise that you have an SSDLC Secure Systems Development Lifecycle – Sec Dev Ops. Embed risk and security management activities and process into every stage appropriately – secure design at the design stage, security and risk management requirements at your requirements stage etc. Follow your standard ISMS lifecycle of Plan Do Check Act (PDCA).
3. Communicate, communicate, communicate – really strong and proactive communication of your risk management program is key to sustaining momentum and buy-in to your risk management program. Tailoring the message and the relevant parts of the risk program to relevant audiences is also key. You will have a different and higher level message for your executive and a more specific and perhaps operational message for e.g. your grass roots remote worker teams. Even within those teams you might have a different ask or update for remote sales teams vs remote finance or customer support teams. Formatting the message to successful remediation’s, progress, wins areas for continuous improvements is important rather than “shouting at the wind” with a list of failures, unaddressed risks, controls failures also sets a better and more encouraging tone.
4. Test, Test and After action review – don’t assume that the controls you implemented continue to operate or even to operate as designed. It is important to continuously validate your controls and remediation’s with a series of audits and tests to verify compliance with their design. You should also design your tests to challenge continued effectiveness of the control. New threats and vulnerabilities may have emerged since you designed the control. New controls may have emerged that are more effective or easier to operate. Users may have adapted the control based on business process or operations. So you need to challenge the effectiveness of the control as well as its continuous operation. You also need to review controls in after action reviews of incidents and events to see how those incidents occurred and whether the control was applied and was effective. It may be that the control was in compliance but now additional controls are required.

Top 5 Tips for performing an effective working Risk…

Performing a remote working security assessment is important. Remember the goal is to effectively identify, quantify and remediate prioritised risks. The methodology of formal risk management is important. However, Ward Solutions experience of helping organisations successfully manage risk for over 20 years is that there are a number of other “softer” skills and considerations that are key to your risk assessment success.

So from Ward Solution experience in a wide variety of sectors these are our top 5 tips to performing an effective remote working risk assessment:

1. Identify the correct scope of your remote working processes and infrastructure – In order to assess the risks to your organisation from remote working, you need to correctly identify the key information assets, infrastructure and processes that you wish to assess. Your scope needs to balance all relevant processes and infrastructure of your remote working services. Be careful not to open the scope too wide encompassing vaguely relevant or irrelevant assets or process. A bloated scope of risk assessment increases time and cost of the engagement and making the output less relevant with a reduced likelihood of success.
2. Ensure stakeholder buy-in and participation. Work hard to identify your key stakeholders in the risk assessment. Key stakeholders are usually a select sub-group of senior management as well as heavily reliant middle management and function owners. Your most important stakeholder may be a representative group of impacted or highly relevant grass root end users.  Their engagement in terms of input to the risk assessment and commitment to the output and recommendations from the risk assessment typically make or break the project. As with scope, focus on quality and relevance of stakeholders rather than quantity.
3. Conduct the risk assessment systemically and objectively – ensure you use experienced risk assessment professionals and follow a recognised risk assessment methodology such as NIST 800-30 to conduct your risk assessment. Ensure that you surface, and quantify appropriately all relevant threats and risks.
4. Be transparent and upfront whilst positioning and managing your findings – Ignore the temptation to downplay risks of vested, difficult or personal interests. Be transparent and honest with the organisation. Otherwise the engagement is bogus, the organisation will not gain value and your integrity is questioned. If you are worried about vested or difficult interests being exposed, then deal with this at the buy-in stage. Stress the importance of a “warts and all” approach. Outline upfront to stakeholders that most organisations typically will have the type and nature of issues likely to be uncovered. Help the organisation recognise how it got here – e.g. perhaps an accelerated adoption of large scale remote access and cloud adoption in response to COVID19. Consider socialising and positioning your findings with impacted stakeholders in advance so they are not blindsided. Allow them to have the time to reflect and position their response, before the final report of findings, public presentations etc. Focus on the benefits of unearthing the issues and having the opportunity to remediate rather than ignoring or hiding the issue and then being forced to respond to incidents as they occur.
5. Build and focus on a SMART remediation plan. Remember the goal of the risk assessment is to allow the organisation to manage the risks you have identified and quantified. Too many risk assessments focus on the risks and issues – not the remediation. By focusing on the issues only you can either paralyse the organisation with fear, uncertainty or alienate stakeholder from future or ongoing risk management exercises. The goal is for organisations to agree the risk register and buy into the prioritised remediation plan. Your remediation plan need to be SMART:
   • Specific – a very specific plan of what, where, when, how and whom
   • Measurable – it should be possible to very clearly determine if the element of the plan has been implemented and if and how successfully
   • Achievable – there is no point in having a plan if it cannot be implemented economically, technically or organisationally
   • Relevant – the plan must fit the organisations goals and ambitions and obviously should address the risks identified in a prioritised way.
   • Timely – the plan should be capable of embracing and delivering both the quick wins and the longer term high priority complex remediation’s. It needs to be done in timelines that means that a higher priority risk are addressed without unnecessary exposure time to the organisation. It also needs to address program fatigue – the notion that protracted projects without definable progress and wins loses support and enthusiasm over time.

Read our follow on article about our top 5 Tips for sustaining your remote risk assessment program:

Top 5 reasons to do a Remote Working Security…

Remote working has been a significant societal and technology trend for the last decade, but has been almost fully established by rushed necessity as a result of COVID19. Whilst remote working offers significant benefits in terms of flexibility, productivity, business continuity the rush to establish the service did not allow for necessary comprehensive assessment of risk or appropriate mitigation planning and implementation of controls.

Inevitably given the rushed and disruptive nature of this rushed implementation the remote worker, their endpoints, home networks, remote access and the hybrid on premise and cloud services that they are using are vulnerable have all been the subject of significantly increased security incidents and targeted attacks.

So what are the top 5 reasons that you should perform a remote working security assessment?

1. Identify and quantify the risks that your organisation and your remote workers face – once you identify the risk you can assess their potential impact on your organisation and likelihood of occurrence.
2. You will review your existing remote working policies and controls to ensure they are adequate and up to date– use our experience and expertise to objectively determine the effectiveness of or any gaps you may have in your existing policies and controls for remote working.
3. You will determine your current level of security and identify vulnerabilities and configuration weaknesses – analysis of your remote access infrastructure including authentication and encryption, Endpoint configuration and vulnerability analysis
4. You will produce a prioritised mitigation plan for identified risks for remote workers and remote working infrastructure and processes.
5. You will communicate you risks and remediation plan in a coherent way to relevant stakeholders in your organisation – gain buy-in commitments, sponsorship, resources and your plans that you need from management and functions within your organisation by outlining the risks you face, their potential impact to your organisation and your plans to remediate.
   • Track progress on risk emergence and mitigation – use the output of the risk assessment to track and demonstrate progress on your remediation plan.

If you are eager to check on your remote working risks, you can take our assessment today. It is a short assessment that will provide you with brief feedback on improvements. You can also talk to our specialists today about how we can help over come the issues identified.

Read our follow on article on our top 5 Tips performing an effective working Risk Assessment :