There is no one size fit all answer or a silver bullet exist to keep us impenetrable. The article recommends list of actions to be carried diligently and useful tips in managing Prevent/Detect/Respond lifecycle. Aims to alleviate tight cyber situations that may lead to potential breach/incidents.
You don't burn out from going too fast. You burn out from going too slow and getting bored. - Cliff Burton, Musician
In my earlier article
on the impact and learning points from various affected industry sectors, it begs the question if adopting cybersecurity measures is enough to stay cyber crisis immune?
Simply put, NO, implementing cybersecurity alone is not enough.
In a survey
, one of the few significant findings stated 58% of the polled IT security pros are not confident that their network has never been breached by a foreign state-sponsored attack or advanced persistent threat, and 59% of respondents think a state-sponsored attack will attempt to breach their organization in the next six months. Most of the organisations are not ready and confident they can handle the breach when it happens.
Why Security and Trust matters
The organisation needs an action plan to secure and build trustworthy processes. This is not about choosing either security or trust, but rather the combining of the two to achieve a positive outcome. Most organisations stumble in getting the right means to build trustworthy exchanges between individual, teams and partners. There is a lack of rigorous self-assessement which establishes a pragmatic set of trust thresholds using verifiable data. Instead, as of current, it is based on assumptions and not aligned to the organisation's business context.
Where to start to "operationalise" an action plan?
Ultimately, the goal is to reduce the organisation's exposure to the next incident. In a long run, we must instill discipline to fine tune operational plans and assessment metrics to achieve higher trust in a consistently secure fashion. To do that, we should achieve minimally three key priorities to set the right direction moving ahead.
(A) "Preventive" phase - constant monitoring and review
Verify that processes, procedures and policies are being followed diligently. Do not assume they are. It is no longer compliance-based activities or board level managed activities only; this is day-to-day survival.
Build a risk-based and scalable cyber security strategy:
(B) Detect phase - situation awareness and actionable intelligence
- Identify the organisation assets, and highlight critical assets susceptible to internal and external threats.
- Observe and orientate why and how security controls are deployed in the ICT operating environment.
- Rectify security oversights like mistakes made by uninformed developers.
- Reduce the risk by isolating critical assets to reduce the exposure. This can be through strict system segmentation and access control segregation. This also helps in containment when a breach occurs.
- Define the critical security events and align them with business and ICT priorities.
- Enforce a periodic verification and validation process consistently in all ICT systems (internal and external facing).
- Establish crystal clear, concise statements of roles and responsibilities from system owner to operator level.
- Build security awareness throughout the organisation. Everyone should know their role in the event of an incident.
- Create trained and competent security teams, and exercise their security roles through cyber drills and security exercises.
- Document all the activities, processes and workflow as depicted in all above points with management.
Identify and reach out to the information governance team. Leverage relevant threat intelligence involving the organisation's business, including potential threats that can affect the organisation directy or indirectly.Always trust but verify, and review existing detection mechanism effectiveness:
(C) Response phase - impact analysis and robust recovery
- Do not simply follow the best practices "blindly" as doing so can unintentionally break existing detection sensors or even trigger unnecessary false positives.
- Always re-validate and only compare with the latest normal behaviour baseline to identify relevant deviations and anomalous activities. This is also to avoid the false sense of security.
- Identify potential indicators of compromise, and assess their impact and significance.
- Rollout quick and relevant stop gaps and mitigation measures to contain the damage promptly and effectively.
- Follow up concurrently with remediation plan to address all (and future possible recurrences of) vulnerability and gaps.
- Verify existing real time network/service monitoring, and explore in-depth artifact analysis or brand and social affiliation monitoring.
- Review related automated ICT systems to gain greater visibility into potential wayward activities.
- Deter the intrustion efforts. Form a trusted network of peers to share intelligence.
- Assess open sources like SANS Internet Storm Center or Computer Emergency Readiness Team (CERT) and consider joining a security community.
- Formalise and document all security controls and mechansims for subsequent verification and validation.
- Augment existing with new intelligence feeds but consider below scope to maximise their value returns.
- Where and how often these additional feeds are updated with the relevant threat information; and
- What is an acceptable false positive rate; and
- How to effectively leverage and act on this new of intelligence
Act according to your incident-response plan. A good starting point is the ENISA guidline
for the management of network and information security incidents. The utmost priority is to make changes quickly and effectively to the networks to contain further damage and recover from the incident expeditiously. Do not neglect key activities such as the root cause analysis on all findings, and conduct knowledge sharing during the after action review; this and timely notification to comply with local regulatory agencies must be incorporated.
Divide and conquer, and be open minded during this period:
Do not fall into automation overdrive
- Prioritize vulnerabilities correctly and do not send anyone on a wild goose chase blindly.
- Keep the users (including top management) updated. They depend on these updates to make informed decisions.
- Stay open to ideas and learn from experience what works and what does not works
- Eliminate those past strategies and tactics that have proved ineffective.
- Start to work on contigency plans - and get them approved.
- Review interim recovery stop gap controls or workarounds. They need to be revised and blend into the next disaster recovery plan with the actual required risk control measures. Test out the revised long term recovery plan.
- Formalise and document the above points as part of the standard operating procedure.
We need technology that helps people, not technology that overtakes or further threatens them. One needs to strike the right balance of technology and human beings. Sound data analytics skills and the knowledge of intrustion tradecraft, tactics and techniques should include experience with:
- Incident handling covering forensic analysis;
- Security testing covering the depth of validation; and
- Management of information security and business continuity processes.
In summary, the three priorities in the action plan cover the before, during and after of the incident. These assessment practices and processes need to be well understood and implemented. While organisations should strive toward the preventive, they must fortify the detective and respond states. As a whole, the organisation will be more operationally effective when equipped by the proper and necessary security technology.