When a cyber incident happens, it’s more than just an isolated event. For many CISOs, it reshapes their approach to resilience, risk management, and even their personal well-being in the job.
Several security leaders reflect on the lessons from real-world incidents and why it’s vital to share them with the community to strengthen collective resilience, break down the stigma around breaches, and help others who may face an incident themselves.
1. Share learnings and improve security for all
CISOs in the eye of the storm should expect media attention and all sorts of different agendas from people who weigh in on an incident.
“You get the attention of the world very quickly,” says Solarwinds CISO, Tim Brown.
And it isn’t all well-intentioned as some commentators use an incident to further their own interests, whether it’s to raise their profile, speak poorly of another organization, or just get into the news cycle.
On the other hand, some incidents present an opportunity to help the industry at large because all sorts of people are paying attention, including good researchers, according to Brown.
There may be legal, corporate, and regulatory considerations with what you can share. But in terms of the technical playbook, there are likely to be things worth sharing.
Brown believes there are often important lessons that come out of breaches, whether it’s high-profile ones that end up in textbooks and university courses, or experiences that can be shared among peers through conference panels and other events. “Always look for good to come from events. How can you help the industry forward? Can you help the CISO community?” he says.
Todd Thorsen, CrashPlan CISO, agrees there are tactical lessons that come with being involved in an incident. Sometimes an incident is the perfect test case of what shouldn’t happen, says Thorsen, who was on the cybersecurity team during the Target data breach of 2013.
His approach is to conduct blameless post-mortems to understand root causes, create a safe environment for open discussion, and identify what could have been done better. The goal is to analyze processes without fear of repercussions. He encourages security people to share learnings with the community because “in the end everyone’s fighting the same battles”.
Sharing insights is also an important way to build support networks across the wider community and pay it forward because a time may come when you need to turn to your peers. “You never know when you might need to ‘make withdrawals’ from the community later,” Thorsen says.
2. You’ll need shift from defense to offence
The role and the CISO won’t be the same after an incident.
“My job on December 11 was very different from my job on December 12 and beyond, says Brown.
Following an incident, some organizations need to change to such an extent that they need a different CISO with a different approach. The CISO isn’t always let go because they were incompetent or people believe it was their fault, according to Brown. A lot depends on the situation and how the CISO can adapt.
“If you want to be the post-incident CISO then you really need to have the skills to be that, and they’re very different from the skills that you needed the day before,” says Brown.
Many incident-hardened CISOs will shift their approach and their mindset about experiencing an attack first-hand. “You’ll develop an attack-minded perspective, where you want to understand your attack surface better than your adversary, and apply your resources accordingly to insulate against risk,” says Cory Michel, VP security and IT at AppOmni, who’s been on several incident response teams.
In practice, shifting from defense to offence means preparing for different types of incidents, be it platform abuse, exploitation or APTs, and tailoring responses.
Michel includes red team exercises and live fire drills in the offensive play. It also means periodically stepping back, starting afresh, and challenging the current security approach to look for gaps and weaknesses. Incumbent CISOs “can become blinded to the current situation because they’re so immersed in the details,” he tells CSO.
3. You’ll develop a tactical playbook for handling incidents
Incidents are a reminder that a well-practiced response plan needs to be in place. It should designate a strong internal coordinator, with scope to draw on external expertise such as breach coaches and legal counsel.
“You need core people to talk to the press, engage with the insurance company, start investigating if you can’t restore data, and know how to communicate with the attackers about a ransom,” XYPRO CISO Steve Tcherchian says.
Without clear roles and responsibilities, panic sets in very quickly, Tcherchian has found. “Right off the bat, it’s ‘what do we do? Who’s in charge? Who do we call? Who do we involve? Who do we not involve?’,” says Tcherchian, who’s acted as an advisor in the aftermath of ransomware attacks.
The playbook needs clear guidance on communication, during and after an incident, because this can be overlooked while dealing with the crisis, but in the end, it may come to define the lasting impact of a breach that becomes common knowledge.
“Every word matters during a crisis,” says Brown. “Of what you publish, what you say, how you say it. So, it’s very important to be prepared for that.”
The playbook also needs to outline the endpoint so a decision can be made about when to shut down the investigation of the incident. “One of the hardest parts of managing a cyber incident is knowing when to stop investigating it,” says George Gerchow, faculty at IANS Research and Bedrock Security CSO.
If there are large teams investigating the incident, they’re likely to start uncovering other things, but if they’re going down rabbit holes it can distract and delay from the issue at hand.
CISOs need to accept some doors may be left open, but if they’re smaller risks, it’s important to not lose sight of the incident. “The key is to focus on the ‘known knowns’, be transparent, and bring the incident to a close, with the primary goal of determining if data was exfiltrated,” says Gerchow, who’s been through incidents at SumoLogic and MongoDB.
4. Overlook robust, monitored backups at your peril
If an incident happens that compromises data, having unprotected or inadequate backups can be a costly oversight. Where it’s happened, CISOs have learned the hard way never to assume backup systems are secure and fully functional.
“A lot of ransomware attacks nowadays, they’ll target the backups first before doing anything. They’ll target your restore location, your restore points, your backup media. They’ll make sure to disable your ability to restore your data and avoid paying the ransom,” says Tcherchian.
Even if the decision is to pay the ransom, there’s no guarantee the business will get the data back and this underscores the need to ensure backups are isolated and working.
Tcherchian recommends regularly testing and verifying that backup systems are functioning and clean. “You might have a vulnerability or a malicious payload on your network, and it might be sitting there for 30, 60 days, meaning it’s being copied into your backups constantly,” he says. “If you think you’ve been attacked, you’re going to restore from your backup, and all you’re doing is reintroducing that virus or that malware back into your environment.”
5. Set the security bar higher
After an incident, you’re likely to view your security posture differently and this includes continuously working to improve security processes. The aim is to better than just compliant. Be prepared to reinvent and rebuild systems to be more resilient, implement multi-layered security measures, consider higher levels of compliance, more tabletop exercises, security auditing, red teaming, end-point protection and so on.
“Each one of those leads us to more of an exemplary model that we can hold up to say, ‘yes this happened to us and now we’re doing things that can be better’ and sharing that,” says Brown. “The approach is how do we practically make things much more difficult, against an infection or another targeted breach.”
Incident-hardened CISOs may also change their approach to tabletop exercises. In Brown’s case, they’re now happening more often and feature more serious potential events because when you’ve been through an incident you know that it’s possible.
“Once you live through it, your tone is very different. And the idea that it was theoretical prior to becoming actual is ingrained in any of us that have gone through it,” he says.
6. Stay vigilant against shiny-object syndrome
One of Michel’s take-aways is to avoid getting distracted by cool, interesting new tools, but it may be hard in an industry awash with big claims and confusing terms. “The industry as a whole has shiny-object syndrome,” he says.
Instead, focus on security measures such as vulnerability management and patching, robust detection and response programs, strong authentication methods like zero trust and passwordless authentication, employee education and training, and live-fire incident response exercises to test readiness. Above all, stay vigilant against the big sell.
“Everyone hates doing vulnerability management, but it’s one of the most important things you can do to understand your attack surface, know where the vulnerabilities are and remove them to the point where you’re comfortable with the risk,” he says.
7. Funding can flame out after an incident
Incidents have a way of focusing attention on cybersecurity. Suddenly, the board and executive leadership all want to talk cyber, hear about risks and there’s money on the table so that people can sleep again at night.
It can be music to the ears of CISOs who’ve been trying to secure more funding, but the focus — and the dollars — can be short lived.
“When you’ve been saying ‘these are the risks’ and then all of a sudden you find yourself in that position, then exec staff, the board, everyone, all they want to talk about is cyber for a while, but then it starts diminishing a bit,” says Gerchow.
Expectations rise in line with budget increases. The problem is that it takes time to do due diligence to bring in the right tools and the right skill sets. But if the budget hasn’t been used up in a certain amount of time, executives might reallocate it to other areas once the intense, post-incident focus has faded.
This puts CISOs in the difficult position of having to explain to the board and other executives what the loss of funding means, when many would rather focus on metrics and improvements. “CISOs may talk about risks and progress made against the incident, but not talk about, potentially, how budget and positions are being taken away,” he says.
8. You must look after yourself at all times
If there’s one common, overarching lesson for CISOs, it’s that you must look after yourself, legally, professionally and mentally throughout your tenure in the industry.
With burnout, high stress and increasing responsibilities, many CISOs are feeling the pressure of the role. Incidents add to these stressors, but they’re becoming more commonplace as the frequency of attacks rises.
“Incidents are commonplace, unfortunately; it’s part of the job,” says Thorsen.
Brown encourages CISOs to recognize the potential health impacts of high-stress roles and establish the right support system, which will be vital when an incident occurs. And not to underestimate how stressful being in the eye of the storm can be on your coping mechanisms.
“One of the big messages is although you might think you’re managing stress, you might not be doing it well,” Brown says. “CISOs jobs are hard enough, so people have to find an outlet. But during an event, it gets even worse. Acknowledge this and build a personal plan for yourself, because one approach doesn’t suit everyone for this type of thing.”
Read More from This Article: 8 things IT leaders have learned from cyber incidents
Source: News