
Focus on Context to Improve Your Incident Response Plan
In 1989, Robert Morris created what has been widely acknowledged as the first computer threat, which spread so aggressively and quickly that it succeeded in closing down much of the internet. While the Morris Worm was the impetus to putting in place coordinated systems and incident teams to deal with cyberattacks, it wasn’t until the Target breach in 2013, in which information from 40 million credit and debit cards were stolen, that leaders in corporations began to fully understand that all levels of an organization must understand the potential threat of breaches and that ad hoc support of cyber security initiatives was no longer sufficient. Rather, all-encompassing programs of prevention, monitoring, and remediation must be in place.
Bringing Context to Incident Response
Incident response teams today must have full knowledge of the ecosystem and what systems need protecting (and the data residing within) to have a more comprehensive approach to protecting their organizations from cyber security threats. They can do so by adding context to incident response. Currently, if there is a threat event that occurs, the analyst has to synthesize the environment that they’re trying to defend before action can take place. But if they don’t have the contextual knowledge of their organization—what application supports what infrastructure, which impacts what business process and value stream—then that incident responder is already behind.
Security teams should understand what they are reacting to, how to recreate the view and immediately understand the ecosystem they are trying to protect so they can act on it right away rather than reverse engineer the situation, which it may be too late to do anyway. In that case, the threat actor may be able to move faster than the incident responder. Easily said, but as apps are starting to be decomposed, the ecosystem is becoming even more distributed, making the context even harder for incident response managers to understand. With more and more application security and applications offered in containers, in the cloud (or cloud native), or offered serverless and through functions-as-a service-platforms, incident responders are now in a position in which they need to understand the contextual challenge of the threats. It is critical that incident responders understand what type of threat they are responding to and what it is they are trying to protect in the larger business sense. Helping to create context is going to be an emerging challenge that needs to be addressed by the industry and community in the future.
Creating Better Asset Management Platforms to Improve Incident Response
When creating asset management platforms, I recommend that CISOs work with their team to base that development on context around the business and the technology. When the platform isn’t so rigidly defined in the context of an application, we start to make connections with the infrastructure to the business processes and the value streams. And it is then that you can truly start to be a counselor to senior leadership and articulate the business impact of any given threat. Through contextualization, you’ll immediately know when you have the asset data and the association, and whether it is of lesser importance (and you don’t need to wake up the CEO!). Or vice versa, when there is a high-fidelity threat that is hitting your flagship application that is behind the capabilities of the entire business process. That is when it will warrant executive leadership attention, but now you will be in a position to also provide solutions to remediation.
Some areas I’ve explored while developing asset management platforms revolve around visualization. I’m looking at the integration between logging and monitoring capabilities and the data they generate through asset management tools, but also other solutions like cloud and container monitoring platforms and the telemetry they provide. Then I’m looking at the visualization tools that are out there that can create these views. Picture this asset management platform chronology:
- Data comes up through logging and monitoring capability
- Incident Responder quickly determines it is a problem
- Through the functionality of the asset management platform, the backends stitches together all that data and pulls up a visualization tool that is able to map the internal environment or/cloud environment that shows the team that this alert is associated with a particular container, which is a part of a particular ecosystem/value stream that is talking to these specific databases
- Incident Responders quickly react to visual cues, improved through real-time contextual awareness, so they can more quickly appreciate the danger and immediately take on real action to thwart the threat
That is a future state that positions incident responders as a force to be reckoned with against the ever-evolving threat landscape.
Improving Your Standing in Incident Response
In addition to investing in understanding the context of your incident response plans, I offer the following advice to improve incident responders’ professional standing:
- Become Invaluable as Subject Matter Experts—Understand the ecosystem of your organization, the context in which threats may occur and the consequences on the business values streams so you can quickly synthesize the information to give the broader team – even the C-Suite – insights and counsel.
- Always Remain Curious, Even Suspicious—Have your radar always on so that, for example, if a new threat comes out, which may or may not even impact your environment but may be within your vertical market, you can preemptively guard against them.
- Understand the Threat and its Potential Impact—Be readily able to ascertain if there is a concern in your environment through volume metrics (i.e., how much of that problem do we have?) and through risk quantification (i.e., threat W is against X so not a concern, but threat Y is against Z so it is a big concern).
Conclusion
There is real opportunity to improve real-time contextual awareness so incident responders can more quickly appreciate what they have so they can immediately action on it rather than waste time in making inferences about the environment. To be sure, incident response plans are ever evolving, and some plans are undoubtedly better than others. It boils down to whether the incident responders are executing on the plan and have an appropriate contextual appreciation of the environment, the ecosystem, the business value streams and the stakeholders involved to get the right people to the table to best defend against adversaries.
Travis Hoyt
Travis Hoyt
Head of Cybersecurity Technology / TIAA
Travis Hoyt is Head of Cybersecurity Technology at TIAA based in Charlotte, North Carolina. Travis joined TIAA in 2019 after almost 19 years with Bank of America’s Cybersecurity Operations as a global control owner for application security assessments. Primary responsibilities at TIAA include security technology portfolio management and delivery, emerging technology and services evaluation including hybrid cloud and containerization. Travis holds several certifications relating to security and cloud and has a passion for discussing loosely coupled architectures and “serverless” debates. Connect with Travis on LinkedIn here: https://www.linkedin.com/in/travishoyt/