Incident response (IR) will continue to be an important cybersecurity priority for many organizations in 2021. We took a moment to get some deeper insight into the IR landscape from Motorola Solutions Senior Consultant Ryan Clancy.
Here’s part II of our discussion (you can find part I here).
Motorola Solutions: There have been some discussions in incident response circles to move away from traditional IR playbooks. Advocates for data science and automation have emerged in the past few years. What are your thoughts?
Ryan: I am a fan of data science and automation approaches. Here’s why I’m not a huge fan of keeping a gigantic library of IR playbooks. They take a lot of time to create and can get outdated very quickly. Any time you get a new employee, a new process or a new technology, your playbook becomes out of date, and you have to make updates. Who likes making those updates? Who likes going back and updating documentation?
There are few exceptions to this. For instance, if you are a part of an organization that has response processes that are highly distributed, or you need to follow IR steps daily. In those cases, it might make sense to have more than just a handful of playbooks for your employees to follow for standardization purposes.
An alternative solution that isn’t so maintenance-heavy would be a welcome change. I’m not totally anti-playbook but playbooks have a lot of limitations and my suggestion would be to limit the number you keep and maintain. Playbooks for IR take a long time to get right and they’re not always used in practice. You would think it’d be easy to make updates, but it never ends up going that way.
MS: When it comes to updating playbooks, is the problem that there are usually too many people giving input? Would hiring a documentation manager streamline the process?
Ryan: One of the challenges of hiring knowledge managers or document managers is they don’t always know what’s being said in the room and don’t always know what’s important to capture. They can certainly learn those skills over time, but they may not have those skills in the beginning.
Another problem with playbooks is that they never cover every case. For example, just looking at recent events in the news, there have been complex breaches, involving multiple layers of exploitations. It’s fine that one playbook won’t cover every step of the process, however odds are that there will be at least a remediative step for which you won’t have a playbook.
Also, a lot of compromises are based on stolen credentials. You can’t really follow a cybersecurity incident playbook to find a solution to those compromises. If credentials are stolen, you’d reset the credentials – you wouldn’t need a playbook to tell you that. The subsequent steps to ensure the credentials aren’t stolen again vary so greatly it would be difficult to create a playbook for each of them.
Ultimately, I find maintaining a large number of playbooks either way overkill or way underkill. I’d be more optimistic if there were documentation systems that provided more sturdy support of the velocity of changes that occur in security. That’s not to say that IR playbooks don’t have their place. I would encourage an organization to keep half-dozen playbooks for high-likelihood incidents, for steps involving a critical system, or for a set of response actions that you want highly standardized. Anything more than a handful of playbooks for small-medium organizations becomes too unwieldy to maintain.
MS: Shifting gears a bit, incident response directly impacts chief information security officers (CISOs) and people in CISO-type roles, even if they don’t have that title. If you were to advise a new CISO on how to handle incident response program development, what would you recommend?
Ryan: I would offer a couple of pieces of advice. If you’re starting a new program, pick the right people for your team, specifically people who are response-minded. It’s also important to practice, practice, practice. Exercise internally. Here’s why: for a lot of CISOs, when an incident occurs, it’s the first time they’ve had to handle a challenge of that scale. It would be like asking someone who’s only ridden a bike to suddenly drive a NASCAR race car.
That’s why practice is so important. It can simply be an internal cyber exercise program — they don’t have to be complicated exercises. You can spend an hour or two with your team, go through scenarios and walk them through the steps of your process. Yours will vary, but it should start with rounding up all the information you can find. Then you need to make a decision based on that information and classify the incident appropriately. From that point forward, you should notify senior managers or senior reviewers. Once you have your team together, you can go forward to remediate the incident.
It’s important to practice all these initial steps and make sure you document the main points in your incident response plan. There’s a difference between a plan and a playbook – a playbook works within the overall incident response plan to distinguish key specific response tactics, typically directed towards an identified system, exploit or specific scenario.
MS: Thanks for those helpful tips. Do you have any incident response predictions to share with us for the rest of the year and beyond?
Ryan: Ransomware, as measured both by number of incidents as well as amount of money demanded, has been rising steadily the past five years. We don’t see this trend abating anytime soon. I solidly recommend including a ransomware scenario in your next table top exercise if you aren’t already doing that. Review what your leadership’s risk tolerance is concerning paying the ransom as well as what your cyber insurance’s stance is on ransomware payments.
Privacy and privacy breaches are going to continue to garner more of our attention. As the COVID-19 pandemic continues, governments and private companies are requesting more data — and therefore storing more Protected Health Information (PHI) — so they’re obligated to protect it. Multiple states have privacy legislation pending that could have some enforcement teeth to it. None of the pending legislation appears to be more robust than General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), but are rather “light” versions of both of those documents.
Finally, we’re seeing strong demand for both incident response as well as compliance in the public safety sector. This is partially due to grants available from the Department of Homeland Security (DHS) as well as other money tied to COVID-19 stimulus. There have been several incidents this past year, some involving ransomware, that have targeted public safety and this has state, county and city CIOs focusing on incident management preparedness or seeking to get their information security program in alignment with a framework such as National Institute of Standards and Technology (NIST) 800-53, NIST CSF, ISO 27001 or CIS 7.1.
State and local governments and public safety agencies may not have the easiest time finding cybersecurity talent to handle incident response internally, so outsourcing to a managed security services provider is one solid option. MSSPs can also be a much more cost-effective option for organizations.
Learn more about Motorola Solution’s managed security services for public safety agencies here.
To learn more about incident response program development, check out our guide, “Best Practices for Integrating Incident Response and Business Continuity Programs.”