Building Effective Incident ResponseResilient's Fay on How to Prepare for Cyber-Attacks
Most often, any security breach related to computer and network security is considered an engineering problem, and companies try solving it through application of technologies.
But this approach is clearly failing in the face of modern cyber-threats, says Gene Fay, US-based vice president, systems engineering and technology sales, at Resilient Systems, an incident response platform provider.
Fay acknowledges that many CISOs focus on prevention of attacks and, if detected, on only alerting the teams. They don't readily pursue result-oriented action.
"The top management is always impressed by action towards resolving the business crisis and protecting risks, not about knowing about it or tightening security," he says.
"The first step is a thorough understanding of which resources are most critical for business operations," Fay says. "Planning to protect these takes iterative testing and refinement of the response plan."
In this interview with Information Security Media Group, conducted at the RSA Conference Asia Pacific & Japan, held recently in Singapore, Fay discusses the importance of having an incident response model to combat cyber-threats. He also elaborates on:
- Response to new threats;
- New security innovations;
- Putting up an effective incident response plan.
Prior to Resilient, Fay founded FVF Partners, which helped CEOs and senior managers refine their sales and marketing strategies. He also was VP, worldwide sales and global alliances, for the security information and event management business unit of RSA, the security division of EMC.
GEETHA NANDIKOTKUR: Enterprises across the Asia Pacific region suffer security breaches and newer forms of threats. How critical are these threats? How are they affecting organizations?
GENE FAY: You're right; threat vectors are changing and becoming complex. The type of incidents is changing. The irony is the bad guys have an unlimited budget and the ability to execute criminal activities around the network. They threaten security teams in technology, time and prevention. So, organization expectations are changing. Teams must change their approach. The new incidents force stakeholders to empower security teams and build a resilient incident response mechanism. Security teams must go beyond traditional methods using technology to treating people as assets in developing an ideal framework. Customers don't believe a breach affects organizations in many forms, and the impact - if measured - can result in huge costs. Security teams can't keep pace with the growing sophistication; and due to their inflexible architecture.
NANDIKOTKUR: What innovations can Asia Pacific teams adopt?
FAY: CISOs must believe innovations are taking place to prevent breaches and try to tap into those. The innovation has been more about making security practitioners accept they must innovate and think out-of-the-box to prevent or pre-empt breaches and work on a model. For instance, our CTO Bruce Schneier worked to bring architectural level changes as a stepped approach and over time make changes at the backend to develop a resilient architecture. The innovation is in:
- Security: The effort in arming incident response teams with workflows, intelligence and deep-data analytics to take a collaborative approach.
- Privacy: Based on regulatory requirements, focus on breach preparation, assessment, and management - turning a lengthy, tedious and expensive process into one that's efficient, compliant, and always up-to-date. Lessons on mapping regulatory requirements to the many events organizations routinely experience.
- Action: Creating an incident response bug by exploiting the potential of existing systems to integrate with and synthesize data from existing technologies, including prevention, detection and forensics systems.
The effort is to evangelize that the way to build resilient security is with vigilant, adaptive, relentless defense by experts (people, not products). There are no magic preventive countermeasures against crime in the real world; we are all reasonably safe, nevertheless. Bring that thinking to the Internet.
The Ideal Incident Response Plan
NANDIKOTKUR: What should be the ideal incident response framework? Where does Asia Pacific stand?
FAY: Most CISOs have only focused on protection and detection, not incident response management. Over 50 percent of the time is spent on reporting the incident after it occurs to the top management or stakeholders, not working on the incident. Since they don't have adequate infrastructure, they can't address it meticulously.
It's critical to focus on four aspects: prepare, assess, manage and mitigate. Build a technology-agnostic platform helping connect to threat intelligence or detection systems, and enable a quicker, more effective response. Include a policy that sets the parameters, severity and standards for when / how an incident is declared. This defines the criteria for a major and minor incident type and sets the procedures to be followed. Include any third-party or vendor incident response procedures if likely to be involved.
Incident response plans require extensive documentation, testing and validation before they can be called reliable. They go stale over time and must be refreshed annually, or whenever the organization makes major changes.
An enterprise must consider its dynamic action plans, automated intelligence feeds and comprehensive reporting, which make big teams better, and small teams big.
NANDIKOTKUR: What are the best practices to defend and thrive in this scenario?
FAY: There is a couple of them CISOs must be cautious about:
- Assessing internal platforms (a list of assets, network diagrams, key resources and support services) is important;
- It's important to understand who is in charge. Roles, responsibilities and authority should be defined in advance;
- Policy-granting authority needed to fulfil the roles of team members must be clearly communicated;
- An incident response plan is only as good as its communications network. Time is of the essence; communication networks tend to be the first to break down;
- Incident response management is done by junior people. But a process must be created by strategic thinkers and defined at a corporate level.