Light Dark
January 3, 2018 By Douglas Bonderud 6 min read
Incident Response
CISO

On Dec. 13, The Wall Street Journal brought its Pro Cybersecurity Executive Forum to New York, and the response was overwhelming. The sold-out event welcomed a healthy mix of C-suite executives and IT decision-makers who were ready and eager to learn.

I recently had a chance to catch up with Christopher Scott, global remediation lead for IBM’s X-Force Incident Response and Intelligence Services (IRIS) team, whose session tackled the critical topic of incident response. Scott said that audience members recognized that the road to better incident response is “a marathon, not a sprint.” He also noted that when he read the room, he got the sense that “these executives really understand what’s going on.”

Five Expert Tips to Improve Incident Response

While there’s no silver bullet for incident response, Scott argued that the right processes and people make all the difference. Ultimately, that’s what executives are looking for: ways to bridge the gap between existing response efforts and best-of-breed solutions.

Here’s what Scott named as the five key tips for improving enterprise incident response.

1. Better Intelligence

From health insurance providers to large telecommunications companies and credit reporting agencies, 2017 was a banner year for data breaches. This boon is no surprise — and neither is the fact that enterprises aren’t interested in focusing on the fear and stress that comes with a potential breach. Instead, they want better ways to respond.

For Scott, that starts with improving threat intelligence. This means leveraging tools that help companies identify specific risks rather than trying to guard against more nebulous attacks, which could take any shape or form since threat origin impacts the type of risk. Scott noted that “if you’re the target of a nation-state actor, for example, that’s going to change your design, security tools, processes and people, versus if your most common issues are ransomware and people clicking on links they shouldn’t be.”

Internal network controls, such as advanced firewalls, can help mitigate the impact of nation-state actors looking to compromise or steal data, while endpoint monitoring technology may be of more use in identifying and impeding malicious (or accidental) insider threats. Put simply, improved incident response demands better threat intelligence. Knowing what they face can help enterprises best determine how to protect their data.

Related: Incident Response and Threat Intelligence: A Potent One-Two Punch to Fight Cybercrime

2. Educated Endings

Scott didn’t mince words when he proclaimed that “risk will always exist.” Money spent, teams trained and processes improved can never eliminate the underlying risk of a data breach.

What matters most is what enterprises can learn from data breaches — both their own and those suffered by other organizations. From the outside looking in, it’s easy to see where mistakes are made and where better solutions could have been implemented. But how do enterprises improve their own outcomes when they’re the victim instead of the observer?

According to Scott, it’s about knowing when to pull the plug — when to declare a data breach investigation over and close up shop. His advice: “Focus on indicators you know about, and if you can’t find anything else, close up.” In other words, if the security team has taken its investigation as far as possible and can no longer find any evidence of common risk indicators, it’s not worth spending the money to keep the investigation running.

Opting for an end date, on the other hand, gives security teams and C-suites the chance to debrief, analyze discovered data and create new plans to better manage the next incident. According to Scott, the “lessons learned” phase only occurs after an investigation closes. If it never concludes, there’s never a chance to improve incident response outcomes.

3. Insider Improvements

While enterprises tend to focus on external issues, such as malware, ransomware and new fileless attacks, insider threats account for the lion’s share of data breach issues. In fact, Bloomberg argued that insiders could be the most pressing corporate cybersecurity risk in 2018.

The challenge, as Scott noted, is that “you’re never going to stop the insider threat,” in large part because enterprises can’t effectively monitor staff actions 24/7. Scott used the example of a computer screenshot: Users with privileged access could screenshot enterprise data on authorized devices at home, then distribute or sell this information at will while enterprises remain blissfully unaware.

The first step toward mitigating this problem is to answer key questions, such as:

  • Where do I keep the keys? Where is critical data stored and how is it protected? Enterprises need to know exactly where their data is stored and what total risk exists if networks are compromised.
  • How much access do employees have? Who has access, why and for how long? While access is necessary in a mobile-first world, solutions to track and monitor employee actions on corporate systems are essential.
  • Is the policy need-to-know or want-to-know? If it’s the latter, design for the former: Data should only be accessible to those who need it for specific purposes.

Scott also noted that it’s imperative to trust your people. While it’s impossible to eliminate every insider threat, lack of trust damages corporate morale and can send highly valuable security experts into the waiting arms of other organizations.

Last but not least, insider issues aren’t just a security problem. In fact, Scott argued that human resources, security and IT must be “tied at the hip” to limit the risk of insider threats.

Learn More About IBM’s Incident Response and Intelligence Services

4. ROR, Not ROI

What’s the best way to measure the impact of incident response? Spoiler alert: It’s not return on investment (ROI). Security solutions never pay back what executives invest, since that’s not the intended outcome. So how can companies better evaluate the impact of their efforts and justify security budgets?

According to Scott, “Security is a very hard conversation for ROI.” Security teams need to identify risks to their organization as well as “true risks” — those with higher likelihoods and greater impacts — to design their response plans. Next, they must understand their data. While most data is equal, specific pieces or sets of information might require more robust protection. Other considerations include cloud/local storage decisions and the need to partner with other security or infrastructure organizations.

Scott said he considers that ROI conversation futile. Instead, he advocated for a new metric: reduction of risk (ROR). This addresses the true function of incident response and security tools. The challenge is that ROR is hard to measure and even harder to quantify.

Consider whether it would be reasonable to leave an enterprise office space full of high-value desktops, printers and other technology without the benefit of a physical alarm system. Of course it wouldn’t — both insurance and law enforcement agencies advocate for alarm systems as security measures that never offer ROI, only ROR. So why is it reasonable to leave networks and databases unguarded? By spending on effective security controls, it’s possible to mitigate the impact of a data breach — or, ideally, to prevent the breach from ever occurring.

Scott proposed a further refinement: security intelligence tools that improve threat detection and response. Looking for a physical analog? Think high-definition cameras and motion detectors, which can help reduce false positives and provide law enforcement with actionable insight if a breach occurs.

5. Honesty Is the Best Policy

What happens when a data breach occurs? Make no mistake, this is a question of when, not if. Scott said he subscribes to the simple notion that honesty is the best policy — in context. For example, recent disruptions in the shipping industry came with limited impact for consumers at large. As a result, complete public transparency about breaches and outcomes wasn’t required. Instead, company time was better spent addressing critical issues and improving overall resiliency.

Given the number of companies now handling personal and confidential information, however, there’s a much higher likelihood that full transparency after a data breach is required. To Scott, this means “having an ability to speak to the public, knowing what the likely questions will be and identifying responses to those questions.”

The next step is to build out a response plan that defines critical actions, identifies specific employees who will speak on behalf of the company, and addresses region- and data-specific requirements. For example, individual states have differing requirements about what types of breaches require notification and who must be notified, and new legislation introduces complications for companies processing and handling data overseas. By creating a documented response plan and regularly testing and updating it to account for emerging regulations, enterprises can ensure that honesty is both the best and the most effective policy for withstanding the public aftershocks of a data breach.

A Long Road Ahead

When asked about the future of incident response, Scott said that “companies are becoming more proactive,” conducting both cyber range simulations and tabletop exercises to improve their response capabilities and discover new strategies. It’s a long road ahead and there’s no way to fully eliminate corporate risk, but the right enterprise strategies can help minimize data breach impacts, change C-suite perspectives and improve long-term outcomes.

Listen to the podcast: 5 security predictions that will take hold in 2018

 |  |  |  |  |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from Incident Response
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

March 6, 2024

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature