CISOs Talk Incident Response: 3 Steps to Breach Readiness


Written by Chenxi Wang

This is Part 1 in a series, to read Part 2, see: CISOs Talk Incident Response: Educating Your Board

Recently I had a pleasure of attending a CISO networking dinner. The event drew high profile CISOs from large financial institutions, healthcare companies, retailers, education, and hospitality breach

Incident response was THE topic of the evening. This blog captured some of the essential discussion points at the lively event.

In the last 18 months, a visible shift has happened in the industry—cyber security, for the most part, has matured from merely an audit concern to a board-level discussion. Many CISOs reported regular conversations with their boards on cyber security topics. In particular, breach readiness and breach response are top-of-mind issues. The participants discussed essential steps for an effective incident response program. They are:

First step: Define what to protect & gain visibility around these assets

The first priority is knowing what you need to protect. This of course includes your data, applications, 3rd party applications/interactions, as well as physical assets.

Once you determined what to protect, you need to attain universal visibility around these assets. The attendees stressed the importance of real-time information and real-time visibility.

– Monitor traffic exfiltration: As a practical first step, many discussed utilizing technologies that monitor egress traffic to look for potential data exfiltration. This extra visibility, one CISO said, enabled them to secure a large investment in cyber security in addition to traditional technologies such as AV, Firewalls, and IPS.

– Attain cloud visibility: A challenge to egress monitoring is SSL traffic. Since many cloud services utilize SSL, cloud visibility is somewhat hampered. The attendees discussed how data traveling between the company infrastructure and cloud (and also other third party services) must be monitored as well.

– Engage third-party threat intelligence services: Threat intelligence, including reputation, threat vectors, IOCs, and criminal group intelligence, was high on everyone’s list. The CISOs stressed the importance of industry-specific threat intelligence that gives immediate and more relevant information. One CISO from a retail company remarked that their organization took notice when the Dairy Queen breach went public, and that’s when his firm started putting together a strategy for breach response.

– Participate in information sharing: FSISAC & NHISAC are two threat info-sharing networks for financial services and healthcare. Participants discussed how these networks have effected changes. For instance, Anthem did a great job of sharing IOCs for their breach within hours of its disclosure, enabling their peers in the healthcare industry to be on guard for this category of attacks.

Second step: Establish controls
Clearly security controls are important. We didn’t spend too much time on control functions, as most of the discussions are focused on incident detection and response. However, there is an agreement in the room that CISOs need a new “stack” of security functions that will help them go automatically from visibility to response.

Third step: prepare for breach response
How do you best prepare for a breach? How do you measure your readiness for incidents? The CISOs converged on the following list of action items:

– Define an IR plan: The plan should denote who owns Incident Response. Who are on the core team, who belong to the auxiliary team? What are the processes for response once an incident happens – who do you call, who do you notify, who carries out which part of the plan? Typically CIO is the first point of contact. CIO and the legal counsel would co-own the incident response processes.

– Establish an IR team: Having a dedicated incident response team is a new concept for many. The team would consists two distinct functional roles, a) incident analysts – those that hunt and detect signatures of attacks, piece together forensics evidence, etc. and b) response team – those that carry out post incident actions. The response team would often include a business liaison person that interfaces with business and external stake holders.

– Build a framework: Attendees discussed the importance of utilizing a framework to guide IR programs. “A high-level framework like ‘Protect, detect, response, and recovery’ would force your establishing controls in each of the categories and assess how mature these controls are at an integrated fashion”, one CISO said. Others have used the NIST framework. ISO 27001 and COBIT were also discussed.

– Design and conduct regular table-top exercises: One financial services CISO said his firm rotates table-top IR exercises once a quarter, which involves VP-level and below personnel. Others have annual exercises where the most senior-level executives are required to participate. These table-top exercises also serves the purpose of bringing executives to reality – they get to experience first hand what could happen during an incident, and understand what is reasonable to expect for response actions.

– Retain multiple external Incident Response/forensics firms: When a breach hit, you’d need as much help as possible. Many of the attendees retain external IR/forensics firms. On an on-going basis, you can draw on these firms’ experiences to help with table-top exercises. During an incident, you can rely on their services on-demand. Many attendees also recommended retaining multiple IR firms, as each may bring a different viewpoint.

– Conduct ongoing red team exercises: “Engage a ‘red team’ for penetration testing across your infrastructure is invaluable”, one participant said and many agreed. Another CISO participant stressed the importance of having red teams covering DDoS tests in addition to pen testing.

– Establish a formal risk-acceptance process: Attendees were especially interested in collaboration models with business owners. A formal process for risk acceptance was discussed at length. One CISO said that his IT security group serves the role of risk assessment facilitator. They would show the LOB owners “vulnerabilities, cause, and probability of breach”. If the business sponsor still wants to proceed, a business VP, the CISO, and au audit VP all need to sign off, a three-way agreement for risk acceptance.

This is Part 1 in a series, to read Part 2, see: CISOs Talk Incident Response: Educating Your Board