Major, large-scale data breaches aren’t an everyday occurrence, but they do happen more often than many of us would like to think. And even though the majority of security events are of low to moderate severity, when and if the next “Big One” strikes, it will shake your organization to its very foundation. In the first half of 2019 alone, approximately 3.2 billion records were exposed in just eight breaches.
For employees of the companies victimized, the immediate aftermath of such events is nothing short of traumatic. Between scrambling to contain the threat, making the appropriate log data available to forensic investigators, and managing communications with the media, law enforcement officials, and panicked executives, employees in departments ranging from marketing and PR to risk management and IT will face potentially career-altering challenges in the event of a significant data breach.
With racing hearts and neurological systems flooded with adrenaline and other chemical signals of fear and distress, they’ll need to make business-critical decisions in the face of what will feel like millions of competing priorities. Teaching your employees to do this well is far from easy, but it is certainly possible.
Our team of experts here at Respond Software has put together a set of 5 key tips to help you train your team to handle a cybersecurity crisis. With more than half a century’s combined experience responding to major security events at organizations large and small, across multiple industries, we know what it’s like to be boots-on-the-ground in times of disaster. And we’ve seen firsthand how learning to deal with information security emergencies can help organizations build resilience.
Here’s what’s most important to achieve:
#1: Train your team as if they were firefighters.
First responders in emergency services don’t just practice setting up ladders or operating hydraulic tools until they’re confident they know how to do these things. They continue practicing until they’re able to complete such tasks in total darkness, when facing intense heat, or when nearly paralyzed with fear or shock. That is, they practice until their knowledge becomes engrained as muscle memory, and they’re able to respond without thinking.
The speed and accuracy that firefighters gain from knowing how to use the tools at their disposal automatically and reflexively can make the difference between life and death in a true crisis situation. For IT security professionals, a similarly instinctive understanding of available tools and their capabilities is critical. Knowing how to isolate the network’s DMZ or limit connectivity to certain parts of the infrastructure as quickly as possible can dramatically reduce the duration and severity of a major security event.
Your security team cannot possibly practice the fundamentals too much. Whether they’re tabletop exercises or immersive hands-on simulations, repeating these types of scenarios will enable incident responders to hone their ability to perform basic tasks quickly and reliably, no matter how chaotic or emotionally challenging the circumstances.
#2: Know where your logs are.
Particularly if you’ve engaged with an MSSP or other third-party service provider to monitor your environment, your internal security team may not know where all the relevant log data is being stored, or how long the logs are retained. If a forensic investigation were to be conducted, this lack of knowledge could cost your organization enormously—in terms of time, money, and customer confidence.
No external vendor will ever understand your environment as well as members of your own internal team do. If you do choose to contract out fundamental IT security capabilities, be sure that you have full visibility into where and how your log data is being stored, and that you can access it at will.
#3: Don’t let the glitter from “shiny object syndrome” blind you to your organization’s vulnerabilities.
In IT security, crisis preparedness is the result of proper training, practice, and knowledge. It’s far more important to be able to use the available tools quickly and effectively than it is to have deployed the latest and greatest new technologies.
No matter how expensive your tools, if they’re not being updated—or monitored—on a regular and ongoing basis, they’re not providing real value to your organization. At a minimum, conduct an annual review to ensure that your technologies are still working as they should be. Do the tools need policy updates? Tuning? Is the vendor still providing the level of support you need and expect?
Far too many organizations fail to realize the full value of their technology investments because the tools aren’t being used or monitored as they should be.
#4: Cultivate your ability to turn lemons into lemonade.
In today’s cybersecurity landscape, breaches are nearly inevitable for almost all organizations. How well you are able to translate lessons learned from such incidents into improved policies and procedures may determine your success or failure when it comes time to contain future attacks.
To err is natural and human. But once you know that a system was misconfigured, or a team member failed to adhere to a policy, you’re able to remediate that particular point of vulnerability. Every security incident you undergo offers you the opportunity to cultivate greater resilience. Be sure that studying, discussing, and incorporating lessons learned is a key component in your incident response playbook.
Because large-scale breaches aren’t as common as smaller incidents, you should be learning from minor events as well as major ones. And it’s an excellent idea to incorporate lessons learned from other companies’ breaches into your red teaming or tabletop exercises. If an attack targeting a competitor was successful, ask yourself if adversaries employing similar tactics would succeed with your organization.
#5: Most importantly, make security awareness a fundamental part of your organizational culture.
The common theme running throughout all of these tips is that people are the key to IT security crisis preparedness. The more your employees across divisions and business units can collaborate in the service of overall security, the more resilient your organizational culture will become. Whether it’s learning how to identify and respond to phishing emails, or understanding which unit tests should be conducted to ensure that source code quality and resiliency are baked into the development pipeline, security should be everyone’s job
Just as it’s vital to ensure that you’re using your IT security tools as effectively as possible, it’s important to ask yourself whether you’re creating an optimal work environment for the security analysts on your team. How are you encouraging their creativity, collaboration, and engagement? Are you fostering their interest in and enthusiasm for their work?
Putting tools and technologies in place that will allow skilled security professionals to spend more of their time on higher-value tasks is one way to build this kind of security-first culture.
To learn more about how the Respond Analyst helps our customers stay ahead of cybersecurity threats and prevent vulnerabilities from turning into breaches, check out our customer stories.
Ryan Black is the Director of Customer Operations at Respond Software where he heads strategy and operations for on-premise Respond Analyst deployment. Prior to joining Respond, Ryan was the Senior Director of Security Operations at Bugcrowd where he developed and led the Application Security Engineering team responsible for vulnerability triage and bug bounty services. He has also held various InfoSec and technology positions at companies such as HP Enterprise, Aflac and Apple. In addition to professional experience, he holds several industry certifications and participates in a variety of open-source software projects, independent security research, and diversity-in-security initiatives. On personal time Ryan enjoys coding, gaming, various crafts, and nature activities with his wife, two kids, and three dogs.View all posts by Ryan Black