Security incidents happen. The key is whether you’re properly prepared or not. Building a first-class system for incident response requires the right staff, expertise, processes and enterprise-wide coordination.
Security Essentials for CIOs: Responding to the inevitable incident
IBM Center for Applied Insights Executive Series Security Essentials for CIOs Responding to the inevitable incident It could come tomorrow, or perhaps two years from now. It could arrive in many forms, perhaps as a distributed denial Highlights: of service attack or malware siphoning off company secrets. Whatever its shape or nature, the first question is not whether Security incidents happen. The key is an enterprise-threatening incident will come, but instead whether you’re properly prepared. Building a first-class system for incident when. And the same goes for the one after that. The vital response requires the right staff, expertise, question, of course, is whether you’re prepared. processes, and enterprise-wide coordination. At IBM, we use a set of general principles to direct our internal An enterprise built to thrive must have a team ready and actions and external communications on call every hour of the day to respond to a major incident. when an incident occurs. In a sense, this unit functions like a hospital emergency room. Everyone must know his or her documented processes and procedures. And much like an emergency at an ER, the challenge is to identify the threat quickly, assess its gravity and potential to spread, and take prompt measures to contain it. The trouble is that incidents, unlike those at an ER, can affect every branch of business. Some incidents threaten customers, others employees or products. Some might leak sensitive data on partners, relations with governments or intellectual property. The possibilities range as wide as the enterprise itself. This means, daunting as it might sound, that the incident-response team must draw on expertise from virtually every area of the enterprise. So what steps should a CIO take to build a top-notch system for incident response? We’ve put together a list.
Executive Series Security Intelligence1. Commit to a full and talented staff. If, on the other hand, an errant password belongs to a seniorResponse teams naturally include technical security and legal executive who was busy negotiating a multi-billion-dollarexperts. But they should also extend to marketing, human deal overseas, it could represent a dangerous breach. Theresources, finance, and government affairs. Each region in response team should jump into action, both at the home officewhich a company does business should field a security team, and in the region where it occurs. Keep in mind that theas well as back-ups. This global deployment allows work on incident may not be resolved in a work day, which means thatincidents to revolve with the earth, twenty-four hours a day, another team several time zones away might be picking upseven days a week. What’s more, teams in each region can tap the work within hours. They should be in the loop, the soonerexperts who understand the requirements in each country, the better.and the business at stake. During emergencies, these peopleface tough decisions whose consequences can reverberate 5. “Small” incidents matter, too.through the entire company. In such a situation, there is no Say, for example, that outsiders penetrated the corporateplace for an inexperienced team. network through an unsecured Wi-Fi connection. They may have done no harm. But it’s vital to respond to such incidents,2. Build a documented and auditable process. and keep careful records of them. First, they may be indicationsWhether you choose to build it in-house or hire outside that some employees are not observing security procedures—professionals, the enterprise should have a system to monitor that the culture of vigilance may be slackening. That’s aoperations and collect accurate and timely reports from wake-up call. Further, a number of seemingly small incidentsthe field. Every step taken should follow procedures, which can fit into a larger pattern, and perhaps a serious threat.can be monitored and, later, studied and fine-tuned. And Without taking note of all incidents, following up on them,remember, an established communications strategy, with and keeping records, a big threat could arrive unnoticed.the appropriate channels, team members and process, is one An enterprise that does not maintain trained incident responseof the key elements of a documented plan. teams on call is, in many senses, asleep at the wheel.3. Involve the entire enterprise. 6. rust the team to make crucial decisions in real time. TEmployees in every role and division are vital for incident Once an incident is spotted, the next job is to determine thedetection and response. They must be educated not only possible damage, and to take the appropriate action. This canto take necessary precautions, but also to spot and report involve a series of momentous decisions. One early questionincidents through established channels. In this sense, is whether to alert the user who appears to be the targeteveryone is part of the response team. This fact should of an attack or to cut off his or her network access. If thebe hammered home, in practice drills and structured incident shows signs of a possible insider attack, the answerwalk-throughs. It is part of creating a risk-aware culture. is anything but clear. The team must also determine if local law enforcement authorities should be alerted.4. Spot the really dangerous incidents — and focuson them. Experts on the response team must understand all of theLarge enterprises might handle numerous incidents in a issues. Under the pressure of a crisis, the team must mapsingle day, from a laptop left at an airport to phishing attacks out a course that will protect the company’s interests. Thisin corporate email. The initial challenge is to determine requires broad expertise, along with the confidence andwhich ones pose the greatest potential danger and to put power to make tough decisions quickly. Again, these mattersa team on them quickly. Returning to the emergency-room involve the entire enterprise, and the expertise on hand—analogy, this is like the triage unit. In the case of a junior whether in-house or through a service provider—mustemployee who foolishly shared his password, security analysts extend far beyond the technical team.will quickly study that employee’s network activity in recentweeks, and the areas of the enterprise he has access to. Theymay determine that it is only a minor threat. 2
Executive Series Security Intelligence7. Close the loop. an incident to take place, and how it can be avoided in theSome incidents are handled in a single morning. Others, from future. Addressing the root cause might require changesmalware attacks to insider threats, may take longer. Even after in work-force communication, more training, or perhapsan incident is addressed, it is advisable to proceed to a root a technical fix. In this sense, responding to each incidentcause analysis. The enterprise must determine what was it becomes part of a continuous improvement process--oneabout the company’s procedures or systems that allowed such that never ends. What to do when bad things • iming an initial statement. This is the single differentiating T factor between a successful communications program happen External communications — and one that fails to prevent damage to the brand. It is challenges for security incidents understandable to want to quiet the rumor mill by making a quick statement. It also is understandable to want to A security breach can also pose external communications know all the facts before making a statement so that you challenges. Damage can spread quickly, tarnish an have 100 percent accuracy. Both are wrong. Rushing leads organization’s reputation and undermine its business. Keys to statements based on supposition and inaccurate early to a successful communications program are the ability to assessments. Delaying means inaccurate reports could respond quickly to shifting media focus and to realize that gain traction and legitimacy. anything can happen and usually does. Here are some tips to consider before a security incident happens: • ommunicating details. Look to the National Traffic Safety C Board (NTSB) as an organization to emulate. The NTSB • eveloping a good back story. An organization must be D communicates as quickly as possible the known facts, able to communicate clearly and convincingly that it has cautions against speculation, and follows up with regular good processes in place to help secure its systems, detect updates. When communicating about a breach discovered incidents, and limit their impact. If an organization doesn’t by internal measures, focus on what has happened, what have this back story of responsible data stewardship, then potentially impacted persons should be doing, and steps the public will quickly assume that everything said after being taken to prevent a repeat of the incident. Do not be the breach is simply public relations posturing. afraid to take credit for what you are doing to address the problem, such as cooperation with law enforcement, • lanning for the worst. It could be a reporter calling you to P forensics investigation, installation of help lines, and special say that a hacker group has publicly posted information it is support to customers. claiming that it stole from your organization. It could be any of the new forms of malware that seemingly appear out of • onitoring the press and social media. A successful M nowhere. Scenario planning can be useful, but the key is not monitoring program can judge the effectiveness of specific to overdo. The thick notebook on the shelf filled with various messaging and get a jump on what information reporters scenarios usually won’t contain the one that befalls you. will be seeking next. Many organizations mistakenly assign media monitoring responsibilities to a junior level professional • etermining who to call. There are reporters, bloggers, D or an administrative staffer, thereby failing to capitalize on and public policy groups who will either transmit the trends apparent to a more experienced person. detailed and accurate information you provide, or repeat the rumors that are sure to be rampant. Make a list of the reporters who cover your organization on a regular basis, bloggers who cover your industry and the various social media sites on which you are already participating. 3