On Dec. 13, The Wall Street Journal brought its Pro Cybersecurity Executive Forum to New York, and the response was overwhelming. The sold-out event welcomed a healthy mix of C-suite executives and IT decision-makers who were ready and eager to learn.
I recently had a chance to catch up with Christopher Scott, global remediation lead for IBM’s X-Force Incident Response and Intelligence Services (IRIS) team, whose session tackled the critical topic of incident response. Scott said that audience members recognized that the road to better incident response is “a marathon, not a sprint.” He also noted that when he read the room, he got the sense that “these executives really understand what’s going on.”
Five Expert Tips to Improve Incident Response
While there’s no silver bullet for incident response, Scott argued that the right processes and people make all the difference. Ultimately, that’s what executives are looking for: ways to bridge the gap between existing response efforts and best-of-breed solutions.
Here’s what Scott named as the five key tips for improving enterprise incident response.
1. Better Intelligence
From health insurance providers to large telecommunications companies and credit reporting agencies, 2017 was a banner year for data breaches. This boon is no surprise — and neither is the fact that enterprises aren’t interested in focusing on the fear and stress that comes with a potential breach. Instead, they want better ways to respond.
For Scott, that starts with improving threat intelligence. This means leveraging tools that help companies identify specific risks rather than trying to guard against more nebulous attacks, which could take any shape or form since threat origin impacts the type of risk. Scott noted that “if you’re the target of a nation-state actor, for example, that’s going to change your design, security tools, processes and people, versus if your most common issues are ransomware and people clicking on links they shouldn’t be.”
Internal network controls, such as advanced firewalls, can help mitigate the impact of nation-state actors looking to compromise or steal data, while endpoint monitoring technology may be of more use in identifying and impeding malicious (or accidental) insider threats. Put simply, improved incident response demands better threat intelligence. Knowing what they face can help enterprises best determine how to protect their data.
2. Educated Endings
Scott didn’t mince words when he proclaimed that “risk will always exist.” Money spent, teams trained and processes improved can never eliminate the underlying risk of a data breach.
What matters most is what enterprises can learn from data breaches — both their own and those suffered by other organizations. From the outside looking in, it’s easy to see where mistakes are made and where better solutions could have been implemented. But how do enterprises improve their own outcomes when they’re the victim instead of the observer?
According to Scott, it’s about knowing when to pull the plug — when to declare a data breach investigation over and close up shop. His advice: “Focus on indicators you know about, and if you can’t find anything else, close up.” In other words, if the security team has taken its investigation as far as possible and can no longer find any evidence of common risk indicators, it’s not worth spending the money to keep the investigation running.
Opting for an end date, on the other hand, gives security teams and C-suites the chance to debrief, analyze discovered data and create new plans to better manage the next incident. According to Scott, the “lessons learned” phase only occurs after an investigation closes. If it never concludes, there’s never a chance to improve incident response outcomes.
3. Insider Improvements
While enterprises tend to focus on external issues, such as malware, ransomware and new fileless attacks, insider threats account for the lion’s share of data breach issues. In fact, Bloomberg argued that insiders could be the most pressing corporate cybersecurity risk in 2018.
The challenge, as Scott noted, is that “you’re never going to stop the insider threat,” in large part because enterprises can’t effectively monitor staff actions 24/7. Scott used the example of a computer screenshot: Users with privileged access could screenshot enterprise data on authorized devices at home, then distribute or sell this information at will while enterprises remain blissfully unaware.
The first step toward mitigating this problem is to answer key questions, such as:
- Where do I keep the keys? Where is critical data stored and how is it protected? Enterprises need to know exactly where their data is stored and what total risk exists if networks are compromised.
- How much access do employees have? Who has access, why and for how long? While access is necessary in a mobile-first world, solutions to track and monitor employee actions on corporate systems are essential.
- Is the policy need-to-know or want-to-know? If it’s the latter, design for the former: Data should only be accessible to those who need it for specific purposes.
Scott also noted that it’s imperative to trust your people. While it’s impossible to eliminate every insider threat, lack of trust damages corporate morale and can send highly valuable security experts into the waiting arms of other organizations.
Last but not least, insider issues aren’t just a security problem. In fact, Scott argued that human resources, security and IT must be “tied at the hip” to limit the risk of insider threats.
4. ROR, Not ROI
What’s the best way to measure the impact of incident response? Spoiler alert: It’s not return on investment (ROI). Security solutions never pay back what executives invest, since that’s not the intended outcome. So how can companies better evaluate the impact of their efforts and justify security budgets?
According to Scott, “Security is a very hard conversation for ROI.” Security teams need to identify risks to their organization as well as “true risks” — those with higher likelihoods and greater impacts — to design their response plans. Next, they must understand their data. While most data is equal, specific pieces or sets of information might require more robust protection. Other considerations include cloud/local storage decisions and the need to partner with other security or infrastructure organizations.
Scott said he considers that ROI conversation futile. Instead, he advocated for a new metric: reduction of risk (ROR). This addresses the true function of incident response and security tools. The challenge is that ROR is hard to measure and even harder to quantify.
Consider whether it would be reasonable to leave an enterprise office space full of high-value desktops, printers and other technology without the benefit of a physical alarm system. Of course it wouldn’t — both insurance and law enforcement agencies advocate for alarm systems as security measures that never offer ROI, only ROR. So why is it reasonable to leave networks and databases unguarded? By spending on effective security controls, it’s possible to mitigate the impact of a data breach — or, ideally, to prevent the breach from ever occurring.
Scott proposed a further refinement: security intelligence tools that improve threat detection and response. Looking for a physical analog? Think high-definition cameras and motion detectors, which can help reduce false positives and provide law enforcement with actionable insight if a breach occurs.
5. Honesty Is the Best Policy
What happens when a data breach occurs? Make no mistake, this is a question of when, not if. Scott said he subscribes to the simple notion that honesty is the best policy — in context. For example, recent disruptions in the shipping industry came with limited impact for consumers at large. As a result, complete public transparency about breaches and outcomes wasn’t required. Instead, company time was better spent addressing critical issues and improving overall resiliency.
Given the number of companies now handling personal and confidential information, however, there’s a much higher likelihood that full transparency after a data breach is required. To Scott, this means “having an ability to speak to the public, knowing what the likely questions will be and identifying responses to those questions.”
The next step is to build out a response plan that defines critical actions, identifies specific employees who will speak on behalf of the company, and addresses region- and data-specific requirements. For example, individual states have differing requirements about what types of breaches require notification and who must be notified, and new legislation introduces complications for companies processing and handling data overseas. By creating a documented response plan and regularly testing and updating it to account for emerging regulations, enterprises can ensure that honesty is both the best and the most effective policy for withstanding the public aftershocks of a data breach.
A Long Road Ahead
When asked about the future of incident response, Scott said that “companies are becoming more proactive,” conducting both cyber range simulations and tabletop exercises to improve their response capabilities and discover new strategies. It’s a long road ahead and there’s no way to fully eliminate corporate risk, but the right enterprise strategies can help minimize data breach impacts, change C-suite perspectives and improve long-term outcomes.