Incident response will continue to be an important cybersecurity priority in 2021 and beyond. We took a moment to get some insights into the incident response landscape from Motorola Solutions Senior Consultant Ryan Clancy following our recent webinar with Dark Reading on this topic.
Here’s part I of our incident response discussion.
Motorola Solutions: With the steady rise in ransomware and other threats, it seems like more organizations are allocating resources to incident response (IR) preparedness, whether through internal or external means. Is that something you’re seeing?
Ryan: I agree. I think there has been a switch to focus more on incident response readiness because you’re getting a lot of bang for your buck. You can buy a hundred different tools to do a hundred different things, but there are ways for the bad guys to navigate around those tools. They’re going to find a way to get inside somehow, so it makes sense to prepare your staff for how to respond when that happens.
As a defender, you need to be right all the time; an adversary only needs to be right once. The odds are against you as a defender. Therefore, the odds are that you will have a cybersecurity incident at some point. That’s going to affect the functionality of your agency or business, the confidentiality, integrity or availability (CIA) of your information, and the recoverability of your data and business processes. Reputational harm is also another area of concern, although the impact will vary depending on your sector and business.
For every dollar you devote to incident response readiness, you invest in people, processes and technology to not only resolve an incident faster when one happens, but to improve your steady-state security capabilities. It’s like buying a jet ski that you’ll use for fun, but you’ll also be riding it to work.
MS: How are organizations devoting their resources to handle incident response? Is there a split between handling IR externally and internally? Where do managed security service providers (MSSPs) fit in this?
Ryan: That’s a good question – the answer really depends on the industry, organization size and geography. Some geographic regions or markets, such as public safety agencies or state and local governments, have a harder time finding cybersecurity talent versus others, so they might need to outsource their requirements.
The answer may not be obvious, so I encourage you to get input from your staff, risk managers and even outside consultants to help you figure out what solution would work best. The solution can be everything from designating certain employees to be part of your internal IR team, to building your own security operations center (SOC) – which is a costly proposition – to outsourcing to a vendor that specializes in this area or to an MSSP that offers IR or partners with firms that do – or some combination of options. “Doing nothing” is on the table as well, though I think that solution will be untenable even if you have a high-risk tolerance.
In terms of where MSSPs come into play, ideally you’d already be working with one and have 24/7 managed detection and response in place as part of your security program before an incident happens. If you don’t, and you have a data breach or other incident, I’d strongly recommend engaging an MSSP that can set up monitoring for you as soon as possible. An MSSP with an experienced security operations center (SOC) team can be on the lookout for ongoing indicators of compromise that may indicate an attacker is still in your network. Getting rid of any lingering issues or lurking attackers is a common problem when you’re compromised, and an MSSP can contain or eliminate any additional vulnerabilities they find.
MS: How do budget needs impact incident response effectiveness?
Ryan: If we’re talking about a steady-state plan for incident response, I’ve seen the residuals of higher budgets. For instance, I’ve seen higher investments made in people and technology. People and technology can be tradeoffs. Sometimes you can find a technology to substitute for a person, but it’s not always a one-to-one substitution.
I’ve seen imbalances between people and technology, where there are organizations that have enough technology to sink a cruise ship but not enough knowledgeable people to operate that technology. This can be particularly true in the public safety sector where resources are already stretched very thin. Given the shortage of cybersecurity professionals, there has been more demand for technology to fill that gap, so we are seeing smarter technology with more automation.
That pressure has been good and bad. It’s been good because this technology is generally being put to use, but it’s been bad because there are a lot of dollars chasing after these products. The products don’t have to be great, but people will still buy them. That’s why it is important to do your homework and work with reputable vendors.
MS: What are some of the common questions you get about incident response planning and remediation?
Ryan: First off, who should be involved? Who should be notified and when? Those two questions are number one and number two on the list. There’s no standard answer. You have to consider what the organization does and identify the key players across all operational networks.
For instance, agencies might have a 9-1-1 call center system and administrative networks – typically, those are separated. If you work in oil and gas or energy, for example, the industrial control system (ICS) will absolutely be separated. You need all of those players together when considering an incident response plan. When an incident happens in one network, the other network needs to be alerted and perhaps even respond with protective measures. Additionally, having non-technical stakeholders such as public affairs, legal, and human resources involved is critical.
Another big question I get: “When do I involve the police or law enforcement?” If you foresee pressing charges in the future or if you want to collect evidence to press charges, they should be involved. Usually, your legal advisor will make that decision, so get your legal advisor involved early to help you determine whether you should collect evidence and press charges.
Collecting evidence takes time and slows down your response process. It takes time and resources to collect the evidence in a forensically sound way and preserve it using chain of custody practices. Those steps aren’t free, cheap or easy. It can be an additional burden when trying to resolve an incident. The rules for notifying law enforcement of a data breach vary by industry, and are determined by a mix of federal laws and state legislation.
MS: Depending on the type of incident you have, there can be a lot of people involved, which can complicate the remediation process. What’s your advice on this?
Ryan: There’s a sweet spot of people who should be brought into the incident response process. Should you include only your technical staff? No. Should you involve everyone? No. Both ends of the spectrum are wrong. I’ve worked with companies who want to drag in everyone plus their hairdresser and psychic the second an SQL injection is detected. In contrast, I’ve seen other companies that have failed to include their Human Resources department even when an incident involved an employee or contractor.
Also, it’s going to depend on what’s going on with the incident. For example, a lot of organizations have cyber insurance now. I highly recommend having your cyber liaison involved sooner rather than later. Notifying your insurance provider is a critical metric – they aren’t going to start covering your expenses until you notify them, even retroactive costs. Recently I’ve noticed some policies will cover retroactive incidents. I’ve been really surprised to see that. Some cover incidents up to 10 years back.
Additionally, your cyber insurance provider will likely have a set of pre-approved vendors for you to use including incident managers, forensic responders and public affairs assistance. It makes all kinds of sense to take a look at that list on an annual basis and review which vendors you can mobilize quickly.
MS: What are some common mistakes you see?
Ryan: The most common mistake I’ve seen is not communicating with internal staff when there is a cybersecurity incident. Most organizations are composed of people, and people want to talk. That’ll foster an environment where rumors spread. To squelch those rumors upfront, don’t simply tell employees to stay quiet. That won’t be feasible. I recommend telling employees whatever truth you have at the time. You will have performed an investigation by this point, so let your staff know as much as you can while you’re still figuring out all the facts. Make employees feel a part of what is going on and make them aware of how they can help.
I not only recommend being transparent with your internal staff, but also providing them with talking points to answer questions from the press, and clearly identifying who is allowed to speak with the press and where to funnel questions. If the press finds out about the incident, they’re not going to want to talk to public relations – they’ll want to talk to the people leaving the building after work. Maybe that talking point is “no comment,” but you need to reinforce that point. This just takes the tension off of everyone when reporters swamp your parking lot.
Access our on-demand webinar now on Building an Incident Readiness and Response Playbook.
Stay tuned for Part II of our Q&A with Ryan, as we explore his thoughts on incident response playbooks and key trends he sees for the rest of 2021 and beyond.