Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and Incidents to the SEC

2,558 views

Published on

Using the IncMan Suite to Manage
the Reporting of Cyber Security
Risks and Incidents to the SEC. A DFlabs White Paper.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,558
On SlideShare
0
From Embeds
0
Number of Embeds
1,215
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and Incidents to the SEC

  1. 1. Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and Incidents to the SEC
  2. 2. SEC Cyber Security Reporting DisclaimersThe information contained in this document is the proprietary and exclusive property of DFLabsexcept as otherwise indicated. No part of this document, in whole or in part, may bereproduced, stored, transmitted, or used for design purposes without the prior writtenpermission of DFLabs. The information contained in this document is subject to change withoutnotice.NO WARRANTY: The information in this document is provided for informational purposes only.DFLabs specifically disclaims all warranties, express or limited, including, but not limited, to theimplied warranties of merchantability and fitness for a particular purpose, except as provided forin a separate software license agreement.NOT LEGAL ADVICE: The ideas and opinions in this document are not to be construed as legaladvice. About DFLabsDFLabs is an ISO9001 certified company, specializing in Information Security Governance,Governance Risk and Compliance (GRC) and Business Security. Our mission is: SupportingInformation Security Strategies and Guaranteeing Business Security. Proud of its professionalexperience, DFLabs provides consulting, services and technologies in the following areas:Network security, Information Security Strategy, Incident/Fraud Prevention and Response,Digital Forensics, e-discovery, Litigation Support, Infosec Training, Intrusion Prevention, Logand Vulnerability Management.DFLabs is creator of the IncMan Suite, a comprehensive incident management solution. TheIncMan Suite comprises three modules that can operate autonomously or in concert for acomplete solution. Incident Manager (IMAN) is the integrated solution for the complete management of security incidents. Digital Investigation Manager (DIM) is digital evidence tracking software used in digital investigations. DIM has been designed and developed to be used for digital evidence process support during computer forensics and incident response operations. ITILity is a framework of best practices to manage IT operations and services. It is designed to provide a complete support solution, to streamline helpdesk processes. ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 1
  3. 3. SEC Cyber Security Reporting Table of Contents Executive Summary .................................................................................................. 3 Business Challenges ................................................................................................ 4 Solution Description .................................................................................................. 8 Important Features ................................................................................................. 11 Technical Details .................................................................................................... 12 Summary ................................................................................................................ 12 More Information ..................................................................................................... 13 Works Cited ............................................................................................................ 13©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 2
  4. 4. SEC Cyber Security Reporting Executive SummaryOn October 13, 2011, the US Securities and Exchange Commission (SEC) published guidanceregarding the obligations of companies registered with the SEC relating to cyber security risksand cyber security incidents. Although cyber security risks have always been a potentialdisclosure issue, this recently published guidance draws specific attention to the need ofregistrants to carefully analyze “if these issues are among the most significant factors that makean investment in the company speculative or risky.” [1]In determining whether such disclosure is required, companies need to consider: Past Security Incidents The probability of security incidents occurring in the future, the magnitude of those risks, as well as the potential costs and consequences of those incidents The adequacy of the preventive actions taken to reduce cyber security risksThe SEC Guidance discussed in this paper provides several examples of cyber threats that canhave a material impact on a company that investors have the right to be made aware of.However, public disclosure of cyber risk and incidents must be done carefully. The SECguidance recognizes that detailed disclosures could provide a roadmap to an attacker.Company executives have the difficult task of weighing the obligation to provide timely andcomprehensive information while preserving customer and investor confidence. The stakes ofthis balancing act are heightened by the litigious climate facing companies doing business in theUS.This document will cover the challenges of assimilating all of the threats and attacks that acompany is exposed to so that a proper risk assessment can be performed. Proper disclosurecannot be performed without competent analysis of the risks identified during a risk assessment.Not every breach will need to be reported, as the majority will not have the potential for amaterial impact to the company [2]. Deciding which security incidents to disclose is anothercritical management decision and it must be made in a timely manner.The DFLabs IncMan Incident Management Suite not only provides your organization’s incidenthandlers with a framework for managing cyber security incidents, it provides management withinsightful information for understanding the organization’s cyber risk profile and incidentresponse trends, including actual costs of historical and current incident response activities. ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 3
  5. 5. SEC Cyber Security Reporting Business ChallengesTrade Secrets, Personally IdentifiableInformation, and ReputationIn today’s information-based economy, it can be argued that information is the primary fuel ofwealth creation. Information, combined with financial and human capital creates the combustionof prosperity. Competitive advantage arises based on how effectively organizationalmanagement leverages these three types of resources. Trade secrets are the information thatprovides competitive advantage. Companies need to devote appropriate resources tosafeguarding this information, so as to protect their competitive advantage.In order to for a company to do business, a modicum of trust must exist between the businessand its customers. Each party to a transaction must trust that the transaction is fair. Sometransactions require more trust than others, for example the trust relationship between a patientand a brain surgeon. Trust implies vulnerability. I do not have to trust you if I am notvulnerable to you [3]. To engage in most significant transactions, information must beexchanged, and the expectation is that the recipient can be trusted with the information.The average consumer would rather not share intimate personal details with a largeinternational organization but they will do so if they want the transaction to occur. Whether oneis aware of it or not, the decision to trust and share personally identifiable information (PII) isbased on a risk calculation that is part of our psychological hardwiring. An individual may notaccurately perceive the risk [4] but it is clear that one’s experience and assessment of theother’s reputation are predominant factors in the decision making process [5].To survive and thrive, organizations must diligently protect their trade secrets and those of theirbusiness partners. They must also safeguard the personal information entrusted to them bytheir customers. How effective an organization is at protecting these vital assets shapes itsreputation and that reputation is a key factor in the growth or decline of a business.Disclosure of Cyber Security Risks by Public CompaniesInvesting is another transaction that has inherent risk and is based on trust. The US Securitiesand Exchange Commission (SEC) has stated that, “The federal securities laws, in part, aredesigned to elicit disclosure of timely, comprehensive, and accurate information about risks andevents that a reasonable investor would consider important to an investment decision.” [1] ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 4
  6. 6. SEC Cyber Security ReportingThe SEC has noted that there is increased focus on the disclosure obligations of publicallytraded companies and has issued a document called CF Disclosure Guidance: Topic No. 2 –Cybersecurity (hereafter referred to as “the guidance”). Perhaps this is a response to severalhigh profile security breaches at large public companies. The guidance states in its introduction,that as the increasing dependence on digital technologies has increased, “the risks toregistrants associated with cybersecurity have also increased, resulting in more frequent andsevere cyber incidents.” [1]Attacks & AccidentsIn general terms, the goal of an attack is to make the adversary’s resources more valuable tothe attacker (theft, for example) or less valuable to the adversary (such as “denial of service”).Attackers have a variety of motivations. Understanding these motivations is an important part ofthreat assessment.However, not all security incidents are motivated by ill will toward the organization. In fact,many security incidents are due to errors and omissions. [6] Organizations must protect themselves from both attacks and accidents.Confidentiality, Integrity, and AvailabilityRegardless of the motivation, a security incident will fall into one or more of the followingcategories: Threats to Confidentiality – A threat to confidentiality occurs when unauthorized access has been gained to a system containing secret information. Threats to Integrity – When a system has been attacked, users lose trust in the accuracy and reliability of the information contained therein. Threats to Availability – If users cannot access the information in a system, the value of that information is greatly diminished. ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 5
  7. 7. SEC Cyber Security ReportingRisk, Vulnerabilities, and ThreatsThe common definition of cyber security risk is the likelihood that a threat will exploit a specificvulnerability. Risk management is the identification and prioritization of risks as well as theeconomical application of resources to reduce the impact of the adverse advent. [7]By way of example, the SEC guidance discusses a variety of deliberate and unintentional cyber-attacks on confidentiality, integrity, and availability. The document states that successfulattacks might result in the victim organization incurring substantial costs and negativeconsequences, such as: Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack; Increased cyber security protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants; Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack; Litigation; and Reputational damage adversely affecting customer or investor confidence. Risks have to be prioritized because the cost of mitigating the risk cannot outweigh the cost of the adverse impact.Determining What to DiscloseThe SEC guidance discusses the specifics of disclosing risks in the various sections of the SECforms that cover: Risk Factors Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) Description of Business Legal Proceedings Financial Statement Disclosures ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 6
  8. 8. SEC Cyber Security ReportingThe disclosures must “adequately describe the nature of the material risks and specify howeach risk affects the registrant [1].” Registrants are expected to evaluate their cyber securityrisks, considering all relevant information. The guidance specifically mentions: previous cyber security incidents and severity & frequency of those incidents; the probability of future cyber security incidents and the potential magnitude of those risks; and the adequacy of the countermeasures taken to reduce cyber security risks.A founding partner of the Information Law Group stated, “One read of this guidance is thatcompanies internally are going to have to more carefully forecast and estimate the impact ofcyber incidents and the consequences of failing to implement adequate security. This analysiswill go well beyond privacy-related security issues where most companies have focused (due tovarious privacy laws and regulator activity), and implicate key operational issues impacted bysecurity breaches.” [2]Avoiding LitigationThe stakes are very high. If a company does not adequately disclose cyber security risks theyare potentially exposed to lawsuits and sanctions from the SEC. However, disclosing detailsabout prior security incidents can also open the company up to additional lawsuits. One thing issure, teams of lawyers and accountants are looking at both sides of this issue 1 and plaintiffs willhave no problems obtaining the funding to pursue class action lawsuits. [8]1 The introduction to the SEC guidance stated that a motive for publishing the guidance was that“there has been increased focus by registrants and members of the legal and accounting professionson how these risks and their related impact on the operations of a registrant should be describedwithin the framework of the disclosure obligations imposed by the federal securities laws” [1] ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 7
  9. 9. SEC Cyber Security Reporting Solution DescriptionDetermination of Material RisksIn order for management to determine which cyber security risks should be disclosed per theSEC guidance, it is important that the organization have a comprehensive security managementprogram. There are three facets of the program that will be the biggest sources of informationto the disclosure decision-making process: Incident Handling Case Management Risk Assessments Operational SecurityThe IncMan Suite from DFLabs is a comprehensive incident management framework that hasfunctionality to meet the needs of security governance programs particularly in these threeareas. This functionality is discussed in the following sections, with a focus on the needs of thedecision makers involved in SEC reporting.Figure 1 – The IncMan Dashboard gives a visual indication of critical metrics. ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 8
  10. 10. SEC Cyber Security ReportingInformation on Past Security IncidentsThe guidance states that historical security incident information is a consideration to be factoredinto the disclosure decision-making process. IncMan not only provides a workflow frameworkfor an organization’s incident response team, it is also a repository of the team’s historicalresponse activities. The IncMan Suite archives all case notes and evidence, preserving thechain of custody records. All cases are rated on a severity scale based on your organization’scriteria. Any lessons can be preserved with each case. All content is searchable.A dashboard (see Figure 1) provides a high-level overview of aggregated case information,allowing managers to identify trends and see the financial impact of security incidents.Probability & Impact of Future Security IncidentsWhile historical security incident information is an important factor in risk assessments, itprovides only a partial picture because threats evolve rapidly. Security managers must also beaware of emerging attack trends, recently disclosed software vulnerabilities, as well as securityincidents afflicting the organization’s industry peers.One of the most important features of IncMan is its native support of the IODEF standard [9].This capability allows IncMan to automatically receive incident reports from any CSIRT andcreate assignments for the organization’s response team to take preemptive actions. The IncMan Suite allows security managers to assess the magnitude of risk, potential costs, and consequences material threats to the organization.Because all security incidents (internal and external to the organization) are cataloguedaccording to the IODEF data model, security managers are able to use the dashboard andreport wizard to characterize emerging security incident trends and project the potential financialimpact to the organization. ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 9
  11. 11. SEC Cyber Security ReportingAdequacy of Preventive Actions Taken to Reduce RisksAn important tenant of security is “prevention is important, but detection is a must!” Most secureorganizations have adopted a defense-in-depth security philosophy with overlapping layers ofpreventive and detective security controls. The detective counter-measures are designed toraise an alert when preventive control has failed or has been circumvented. Generally, themore rapid the response to the incident, the lower the cost will be.The IncMan Suite can integrate with all security devices that support XML and the commonevent format (CVE), such as all popular intrusion detection systems (IDS), intrusion preventionsystems (IPS), and Security Event & Incident Management (SEIM) systems.The data generated by IncMan will allow Security Managers to make an ongoing evaluation ofthe adequacy and cost effectiveness of the organization’s preventive and detective controls. Aspart of an operational security process, new procedures and incident response procedures areadapted to respond to organizational changes and evolving threats. These critical documentscan be stored in the IncMan knowledge base for immediate access during an incident.Supporting Documentation for SEC DisclosuresAs stated in the Business Challenges section of this paper, cyber security risk and incidentdisclosures may impact reputation, investor and customer confidence, as well as have legalramifications. For this reason, it is anticipated that organizations will develop written criteria forinternal use as to what constitutes a material disclosure. Customized reports can be created toprovide the supporting documentation for the SEC disclosures.Discovery & Legal EvidenceThe organization may become involved in legal action resulting from significant securityincidents, either as a plaintiff or as a defendant. Corporate counsel can rest assured that allaspects of the incident response including artifacts and case notes are preserved in aforensically sound manner within the IncMan Suite. The suite provides for chain of custodytracking of all evidence and incorporates full support for digital forensic investigation activities.Within the system, all activity is logged. Access to each case is controlled on a role-based,need-to-know basis as granted by a supervisor. When cases are closed, access can berevoked or changed to read only. ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 10
  12. 12. SEC Cyber Security Reporting Important FeaturesThe IncMan Suite is designed with the needs of enterprise incident response teams in mind.The following features make the system ideally suited to the challenge of disclosing materialrisks and incidents to the Securities and Exchange Commission: Workflow Management – Templates can be defined to pre-populate the security incident case record and tasks can be created and tracked. Dashboard – The configurable dashboard gives an overview of the incident response posture of the organization. Powerful Reporting – Reports can be customized to report exactly the information needed to support a material disclosure. GRC – Risk and compliance implications for every incident can be automatically directed to the appropriate management personnel. Preservation of Evidence and Chain of Custody – All activities are logged and all artifacts are preserved in a forensically sound manner. Knowledge Base – The knowledge base can be loaded with the organization’s policies, procedures, and criteria for a material disclosure. Case Activity Notifications – Email alerts can be configured to escalate incident cases to the appropriate level of management based upon severity. Automatic Integration with External Applications – Integration with Intrusion Detection Systems (IDS), Security Information Event Management (SIEM) systems, and all leading forensic tools. Examples include ArcSight, Netwitness, Access Data FTK, Solo III, X-Ways, Guidance Software Encase, PTK Forensics, RSA enviSion, Tableau and more.The focus of this document is to highlight the value of the IncMan to security executives whomake cyber security disclosures to the SEC, but it should be emphasized that value is derivedfrom the fact that it is also an indispensable tool to the organization’s incident response team. ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 11
  13. 13. SEC Cyber Security Reporting Technical DetailsThe IncMan Incident Management Suite is a secure web application designed to scale to thelargest, geographically distributed enterprises. The system is provided as a virtual machine, ahardware appliance, or a multi-tiered cluster depending on the needs of the organization. Usersaccess the system using a web browser or mobile device, such as an iPad. The user interfacesupports multiple languages. SummaryThis document shows how the DFLabs IncMan Incident Management Suite is well suited tosupport the needs of Security Executives that must disclose cyber security risks and incidents tothe US Securities and Exchange Commission. Although only material risks must be disclosed,deciding what to disclose is a decision that has significant consequences and should be basedon specific criteria.The IncMan Suite is designed to support and coordinate the incident management activities ofan entire enterprise while providing governance with the necessary metrics needed tounderstand the organization’s cyber risk profile. The system can escalate situations to theappropriate levels of management when security incidents matching certain criteria occur orpre-defined thresholds are exceeded.All historical costs and associated risks are tracked to allow for the reporting of the financialimpact of incident response actions and the projection of future costs. This system helpssecurity managers identify attack trends and assess the adequacy of the preventive measuresthat the organization is taking to reduce security risks.While determining what to disclose to the SEC is still a tough executive decision, the IncManSuite helps to facilitate the decision by providing the information that is critical to the decisionmaking process. ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 12
  14. 14. SEC Cyber Security Reporting More InformationTo schedule a demonstration of the DFLabs IncMan Incident Management Suite or to learnmore about our software products and services, contact Dale Wright at +01 410 381 4860, oremail sales_usa@dflabs.com. Visit our website at www.DFLabs.com. Works Cited[1] "CF Disclosure Guidance: Topic No. 2, Cybersecurity," Division of Corporation Finance, Securities and Exchange Commission, 13 October 2011. [Online]. Available: http://sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. [Accessed 24 October 2011].[2] D. Navetta, "SEC Issues Guidance Concerning Cyber Security Incident Disclosure," Information Law Group, 14 October 2011. [Online]. Available: http://www.infolawgroup.com/2011/10/articles/breach- notice/sec-issues-guidance-concerning-cyber-security-incident-disclosure/. [Accessed 24 October 2011].[3] C. McLeod, "Trust," The Stanford Encyclopedia of Philosophy, no. Spring 2011 Edition, 2011.[4] D. Ropeik, How Risky Is It Really?, New York: McGraw-Hill, 2010.[5] A. Partida and D. Andina, "Vulnerabilities, Threats and Risks in IT," in IT Security Management, vol. 61, Springer Netherlands, 2010, pp. 1-21.[6] ITpolicyCompliance.com, "Taking Action to Protect Sensitive Data," March 2007. [Online]. Available: http://www.itpolicycompliance.com/research-reports/taking-action-to-protect-sensitive-data/. [Accessed 25 October 2011].[7] D. W. Hubbard, The Failure of Risk Management, Hoboken, NJ: John Wiley & Sons, Inc., 2009.[8] V. OConnell, "Funds Spring Up to Invest in High-Stakes Litigation," 3 October 2011. [Online]. Available: http://online.wsj.com/article/SB10001424052970204226204576598842318233996.html. [Accessed 25 October 2011].[9] R. Danyliw, J. Meijer and Y. Demchenko, "The Incident Object Description Exchange Format," December 2007. [Online]. Available: http://www.ietf.org/rfc/rfc5070.txt. [Accessed 8 November 2011]. ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano Page 13
  15. 15. SEC Cyber Security ReportingUsing the IncMan Suite to Managethe Reporting of Cyber SecurityRisks and Incidents to the SECDF LABS Srl, VAT and taxpayer number 04547850968Address: Rep. Office: Via Bergognone, 31, cap 20144 Milano, ItalyLabs: Via delle Macchinette, 27, 26013 Crema (CR), ItalyTel: +39 0373-83196 / +39 0373-223716Fax: +39 0373 387605 / +39 02-700424607Email: info@dflabs.comDFLabs - North America and South AmericaNorth AmericaWrightContact: Dale and South AmericaEmail: sales_usa@dflabs.comTel. +01 410 381 4860DFLabs - abs.comDFLabs - Middle East, Dubai, UAEContact: Dennis OommenEmail: dpo@dflabs.comTel: +97150 5515 480About DFLabsDFLabs is an ISO9001 certified company, specializing in Information Security Governance, Governance Risk andCompliance (GRC) and Business Security. DFLabs provides consulting, services and technologies in thefollowing areas: Network security, Information Security Strategy, Incident/Fraud Prevention and Response, DigitalForensics, e-discovery, Litigation Support, Infosec Training, Intrusion Prevention, Log and VulnerabilityManagement.About The AuthorKenneth G. Hartman is a Solution Architect for DFLabs. Ken holds multiple security certifications, including aCISSP. Prior to coming to DFLabs, Ken was a Security & Privacy Officer for a Healthcare Informatics company.Contact the author at kh@dflabs.com. Publication Date: 12/7/2011 ©2011 DFLabs srl ©2011 DFLabs. Copyright, USA and EU Patent Pending Software. DFLABS srl, P.I. and C.F. 04547850968, cap.soc. 50.000 Euro i.v., Corso Magenta 43, 20123 Milano www.DFLabs.com Page 14

×