How To Survive Breach Failure (Part 1 of 3)
December 10, 2014
Many organizations have developed security response procedures to satisfy compliance and regulatory requirements; however, when a breach does occur we regularly see organizations making decisions or performing actions that don’t align with the established incident response plan. When this happens, direct impacts are usually obvious but further analysis is needed to consider the second-order effects.
In this blog series, we cover some opportunities for failure leading up to, during, and after security incidents, and offer professional tips on how to weather the storm. CISOs and security leaders need to be aware of the natural tendency to drift from established process in this area and be prepared with appropriate countermeasures to bring order to the resulting chaos.
Failures Before the Incident
Having a poorly written incident response (IR) plan
Countless articles have been written that underscore the importance of having a thorough and rehearsed IR plan. Rather than beating that dead horse, I’d like you to consider evaluating your IR plan from a different perspective to determine if it’s realistic and set-up for success or failure. An IR plan that can’t be executed effectively has little value and will undoubtedly be ignored during an incident. When in doubt, try using the “SMART” methodology to assess your plan:
Specific – Ambiguities lead to poor decisions; poor decisions lead to chaos; chaos leads
- Do you have a list of clearly defined questions to quickly perform triage analysis needed to confirm/negate the incident and categorize it appropriately?
- Are roles/responsibilities up-to-date and supported by indisputable lines of authority?
- Are decision matrices clearly structured to minimize personal judgment and ensure response actions are congruent with the specific problem(s) detected?
- Do you have established benchmarks or metrics to measure the impact of an incident?
- How do you confirm your response is effective or questionably adequate?
- Do you have thresholds that define when an acceptable level of recovery has been achieved?
- Is your IR plan realistic, or does it hinge on resources and capabilities your organization doesn’t have?
- Do you need additional staff or tools to perform investigative analysis?
- Will you need to undergo a contracting/procurement process to purchase technology or get an IR retainer in place for external forensic/legal support?
- Is the IR team constructed of management officials that are difficult to reach and may leave analysts with insufficient decision-making authority?
- Does your IR plan align to the needs of the business?
- Does the organization understand the difference between an operational incident (outage) and a security incident?
- Does your leadership value the [sometimes] significant effort of performing a deep root cause analysis, or is it more important to restore service at the expense of forensic investigation?
- Have you educated end users and management officials about the importance of incident response and their responsibilities in the process?
- Does your IR plan feature response strategies that management/operations will reasonably approve, or will recommended actions be dead-on-arrival (e.g.: completely taking down a non-redundant ISP connection or email system in a 24x7 operation)?
- Are there regulatory or compliance requirements that specify how soon after a suspected breach your organization must report the incident?
- How much time will your team need for investigation to meet those targets?
- At what point is the incident overcome by events (OBE) and thus the effort for further investigation is outweighed by acceptable loss?
- Do you have internal or external SLAs that determine when your investigation must be complete and your findings must be communicated by?
- Do you have the resources needed to meet the stated time-bound goals?
In my next blog post, I will discuss ways in which organizations fail during a breach.
**Disclaimer: The observations above are subjective to interpretation and are not the result of any specific scientific study.