I’ve been neglecting this blog a bit of late. That’s due in part to being overwhelmed with the sheer number of security breach stories and features to write up this summer. I can’t recall a time when there’s been so much going on, and such a great variety of incidents — apart from last year, and the year before …. and possibly the year before that.
It’s becoming something of a cliché to say “it’s not a case of ‘if’ but ‘when’ your organisation is successfully attacked” — but that doesn’t make it any less true. That puts even more pressure on firms to get incident response right. Succeed, and you could get away with little more than a slap on the wrist from the regulators — you may even find your organisation’s reputation enhanced. I asked the experts their views for an upcoming Infosecurity Magazine feature.
First and foremost, IR plans should be drawn up by an organisation-wide team, according to IISP board director, Chris Hodson.
“The IR team must be cross-functional and comprised of senior business stakeholders that understand the importance of the data, applications and infrastructure across their enterprise,” he told me.
“An effective plan must consider not only the nefarious, but also accidental and environmental events. In a world where technology and internet connectivity is baked into everything, safety has become a key consideration too — it’s no longer just considerations of ‘confidentiality, integrity and availability’ (CIA), we need to look at safety being of paramount importance.”
PwC’s US cybersecurity and privacy lead, Sean Joyce, was more prescriptive.
“The incident response plan (IRP) should include but not be limited to the following types of information: event and incident definitions; incident categories, descriptions, and criticality levels; escalation matrices; incident life cycle workflows; a listing of internal stakeholders and external partners with their roles and responsibilities; and reporting requirements,” he explained to me.
Certified SANS instructor, Mathias Fuchs, added much more to the list, including a communications plan, police liaison, mapping out of standard operating procedures, and how to deal with outsourcers like cloud providers.
“As message control is one of the key points in incident response, a predefined circle of trust that limits information flow to people not working on the case as well as to the outside world is key,” he added. “Particularly for publicly traded organisations, information about security incidents has to be treated with great caution as it usually does have an impact on the stock price once publicly available.”
My plan’s in place, now what?
Once you’ve got a plan drawn up, it’s essential to test it regularly, according to Joyce.
“Preparation is a key component to any incident response event. In our experience, organisations that take the time to develop and test their IRPs and playbooks are more prepared to respond and likely reduce the impact of an incident,” he argued.” Decisions that are made in the first 24 hours are extremely impactful in a positive or negative way.”
For Ian Glover, president of accreditation body CREST, it’s also vital to determine how ready the organisation is to respond to an incident, covering people, process and technology.
“CREST has developed a maturity model and free tool to enable assessment of the status of an organisation’s cybersecurity incident response capability on a scale of 1 (least effective) to 5 (most effective),” he told me. “The tool enables assessments to be made at either a summary or detailed level and has been developed in conjunction with a broad range of organisations, including industry bodies, consumer organisations, the UK government and suppliers of expert technical security services. It delivers an assessment against a maturity model based on the 15 steps within the three-phase Cyber Security Incident Response process.”
Even the best laid plans can come apart when a cyber-attack actually strikes. But well-defined and practiced playbooks can help, said PwC’s Joyce.
“An organisation, in consultation with their external partners, should proceed forward with identifying any additional requirements related to preservation, investigation, containment, and longer-term remediation related actions. The results of the investigative work stream should be communicated in a defined/repeatable process that will directly support internal and external messaging related to the incident,” he explained.
“Depending on the incident, organisations should pre-plan their internal briefing requirements to the board and the frequency and detail of those updates. For external messaging, organisations should work with external partners such as counsel and PR organizations to begin drafting an appropriate hold statement as well as media release should notification be needed prior to the conclusion of the investigation.”
SANS’ Fuchs urged IR teams not to act too quickly, especially if they don’t yet know how the attacker got in.
“Find all ways the attacker might have into your network. Try to develop intelligence about the attacker as you investigate, that helps you when they come back. Figure out what they were looking for and what they have already exfiltrated,” he advised. “Conduct a full investigation and then execute the remediation plan on a weekend where you disconnect the whole organisation from the internet.”
Post IR processes are also vital in helping build long-term resilience.
“If they didn’t get what they were there for, they will return,” warned Fuchs. “Find better ways to detect them and avoid them getting back in the same way they did the first time.”
PwC’s Joyce recommended organisations conduct an IR “post-mortem”.
“The results of this may lead to revisions of the incident response plan, policies, procedures, and key reporting metrics; additional training for the board, executives, staff; and additional investments in technologies in the organisations efforts to mitigate risk and evolve with the constantly evolving cyber threat,” he concluded. “In addition, organisations can schedule table-top exercises to provide training opportunities for all key internal and external stakeholders whose support will be needed in response to an incident. Table-tops provide opportunities to evaluate an organisation’s incident response plan and to assess key components such as escalations, internal and external communications, and technical proficiency of the incident response team.”
Spent a fascinating day at Intel’s Penang facility a week ago today with The Register. Up until now it’s been something of a hidden gem for Chipzilla but, as the largest plant outside of the US, it’s a key part of its Asia and global operations.
So exactly why is it such a big deal for Intel? Well it was its first ever foray outside the US some 40-odd years ago and now employs over 6,000 designers and engineers. Crucially it acts as a hub for Intel’s other plants across Asia, providing training and support for engineers from newer facilities in Chengdu, Bangalore and most recently Vietnam.
As if any more proof were needed of its importance to Intel, the firm’s global VP of the Technology and Manufacturing Group, Robin Martin, is based there.
We learned that having everything from product development and design to testing and manufacturing on one site means the firm can respond much quicker to changing market demands and keep up with faster development cycles demanded by today’s mobile computing trends.
Perhaps an even more interesting story, though, is the emergence of Malaysia and Penang as an IT destination during the past 40 years. I spoke to Datuk Noharuddin Nordin, CEO of MIDA, the government’s investment and development agency, who admitted that the reason Intel was lured to the country in the early ‘70s was purely based on cost.
However, the government has taken that early investment and managed to grow it, attracting more big electronics MNCs with skilled labour, solid IPR protection and cheap land.
“We must remember MNCs come here because they want the greatest margins,” he said. “We have to anticipate what’s round the corner and create systems which will help to prepare for that.”
It’s not done a bad job. Intel on its own has invested $4bn in Malaysia over the past 40 years and other big names including Motorola, AMD, Western Digital, Renesas, Bosch and many more have all joined Chipzilla in Penang. Nordin claimed such investment has managed to help to move local firms up the value chain, nurture world class IT talent in Malaysia’s universities and attract MNCs from other related industries like aerospace, medical equipment and automotive.
As we walked through the old colonial streets of Georgetown that evening I couldn’t help but think Penang has come a long way since its days as a British East India Company trading port.
Whether it can continue to lead in the future remains to be seen, with hugely ambitious Asian rivals like China coming up fast. However, alongside Taiwan, Malaysia has something of a first mover advantage in Southeast Asia which will be hard to match in the near-term.