When experienced incident responders look up from their daily grind and consider all the different incidents they’ve handled over the months and years, they typically notice certain recurring themes. These insights hold true whether a responder works at one organization or at a service provider, helping many different organizations respond to cybersecurity incidents. Most fundamental response problems and solutions cut across industry lines and different operating environments.
The following five hot-button issues are the ones a typical incident responder wishes the average CISO would prioritize. These things would ease the grind and make the response team a lot more effective. CISOs are smart and aware of most things on this IR wish list, but they also have other big-picture priorities to consider – can we say budget, anyone? – and balance.
Can’t Use Your Mama’s Backups Anymore
In the era of rampant ransomware attacks, the importance of backups cannot be overstated. Businesses depend on backups to restore select systems or facilities after a disaster or malfunction, and also to recover from encryption attacks that hold an entire enterprise’s systems hostage in one go.
Backups today have to be robust and sweeping in scope. They have to be able to – provably and consistently – recover wide swaths of systems, and the organization has to know it can perform this recovery quickly. It’s not enough to just have good backup and recovery systems in place. Organizations need a solid, tested plan for how the systems will be rebuilt. This includes the order things are brought back online to account for dependencies, and how it will be done under difficult circumstances.
Please Don’t Set It and Forget It
Many incidents spin out of control not because an organization doesn’t have the right security tools or systems in place to detect or respond to them, but because those tools were not configured or staffed appropriately to do what they were designed to do.
I get it. Nobody on a security team wants to be the dedicated babysitter for one of 85 installed security products. “Set it and forget it” is attractive because whether you’re a CISO or SOC analyst, you have other stuff to do. You have auditors running hot and cold and getting all up in your business, business people trying to do strange and ill-advised things, and attacks constantly barraging systems day and night.
But just be advised that someone needs to be tasked with regularly revisiting all of their products. Timely incident response is about understanding the weird things that are happening in your environment, but that is too hard to figure out if teams are staring at the same things all the time. The team has to be looking at everything every so often.
Response Practice Comes in Many Forms
Having an IR plan is crucial, but a team has to practice it if they want to truly master the art of timely response when things go sideways. Tabletop exercises with a wide array of stakeholders – from technical people to PR to legal – are extremely beneficial.
Getting those heavy-hitters consistently in the same room or even on a conference call can be expensive, so CISOs need to be creative about how to build up the organization’s response muscle memory. This could be running smaller, more varied practice drills with different groups on a more regular basis. Or it could be as simple as leaning on something like the Bad Things Daily Twitter feed to put people through regular response thought exercises.
For the Love of Logs …
There is nothing more frustrating for an organization than spending big money on a response retainer or bringing an emergency response team into play only to find they can’t do much because they don’t have much data to work with.
We’ll get real here, though, and acknowledge that no CISO is ever going to collect logs at the level an IR professional would like. Solutions that do so are incredibly expensive and retaining troves of log data for long amounts of time can break the bank. The point here is that security leaders should be thinking intentionally about where and how they pull the two important log levers – breadth of coverage and retention. And they should try to find creative workarounds for bulking out log data, such as leaning on the data collected by other IT groups, such as operations.
It Always Comes Back to Compromised Credentials
Finally, a note from the intelligence analysts in the crowd: If you look at many security incidents today, you’ll find that most of them inevitably come back to one common denominator: compromised credentials. Multifactor authentication (MFA) is getting incrementally better about reducing user friction and increasing barriers for attackers. Often threat actors take an organization out of their automated scanning and credential stuffing rotation as soon as they see MFA in use. It’s powerful and can take many incidents off the table before a responder ever needs to handle it.