Back to Insights
Van Wyk: Doing Your IR Planning the Right Way
October 2, 2017 | Incident Response Planning
By Ken Van Wyk, IANS Faculty
Smart people learn from their mistakes, but wise people learn from others’ mistakes, right?
In that spirit, there is still a lot of “Monday morning quarterbacking” going on regarding the recent Equifax security breach. No doubt, many more facts will come out surrounding this incident. Some “facts” will also be found to be incorrect. That’s the nature of things.
But rather than focus on the negative, I want to shed some light on some of the positive steps organizations can take when a breach of this kind is discovered. The first thing I look for in an incident response practice is the right mindset. Three things I’ve found helpful over the years in terms of having the right mindset are:
- Think of the IR team like it’s an emergency medical team. When an incident occurs, the medical team’s job is to keep the patient alive long enough to get him or her to the hospital and under the care of a doctor. It’s not about solving (for instance) a patient’s clogged artery issue, but rather stabilizing the situation so the patient can survive to see a cardiologist and hopefully live a long and healthy life after the emergency. Similarly, it’s vital for the medical staff to be able to discuss diseases, symptoms, cures, etc., while still maintaining patient privacy. These mindsets all work very well in the incident response world.
- Have execs and the IR team act like golfers and their caddies. Most incident response teams do not have the authority to shut down business systems while fixing a problem. Those big decisions generally get pushed up to the executive decision team. However, the role that incident responders play is nonetheless vital. They should look at themselves as being similar to golf caddies. The caddy advises the golfer on what club to use, where the sand traps are and so forth. In fact, the golfer requires that sort of expert input from the caddy. Nonetheless, the final decision of what club to use and how to strike the ball is always the golfer’s to make. But, when you have a really good pairing of golfer and caddy, they can work as a cohesive unit that is greater than the sum of its parts.
- Make customer service the top priority. At their core, all IR teams are services organizations. We’ve all suffered the effects of bad services organizations, right? Who enjoys being on hold with tech support for hours, only to have to repeat your issue to five different people and then get disconnected while being handed off to yet another person? Incident response organizations cannot effectively serve their parent company if they emulate these nightmare situations. Instead, adopt a service-first attitude. When a customer has an issue, the staff member who first hears of it owns the problem until it is either resolved, or until another staff member has actively accepted a handoff of responsibility, and then that person will seek to resolve the issue.
In addition to having these types of mindset in place, there are a number of other important areas the IR team needs to work on so that it’s ready when the crisis strikes. These include:
- Communicate effectively: Many of us like to think of incident response as a deeply technical discipline. And while I certainly won’t disagree that it’s great to have a highly technical team to carry out the IR tasks, it took this tech-head years to fully grok that incident response is first and foremost a business matter. It’s about keeping the business alive. During a major breach of customer data, a large amount of that often comes down to effective communication. Companies that have been victimized by a security breach can help themselves and their customers immensely merely by communicating effectively.
- Be truthful about the incident: Be candid about the impact to customers and what’s happening. Be confident and speak with authority. Your customers will generally forgive mistakes, but only if they are handled in a professional manner.
- Be proactive: Address problems before they address you, whenever possible. That requires analysis, experience and a mindset of looking for problems before they arise. The best engineers with whom I’ve worked have this trait in spades.
- Be technically excellent: Finally, we come to technical expertise. Yes, of course it matters a great deal. But technical excellence in the absence of these other things I’ve listed is not that helpful when it comes to retaining customers. It’s a business problem first, remember?
So, as we look at the Equifax breach, for example, it’s reasonable to evaluate the company on these and other criteria. Are these the qualities we’ve seen in Equifax’s response to its breach? You be the judge.
Ken Van Wyk is president and principal consultant at KRvW Associates and an internationally recognized information security expert, author and speaker. He’s been an infosec practitioner in commercial, academic, and military organizations and was one of the founders of the Computer Emergency Response Team (CERT) at Carnegie Mellon University.
IR Playbook: Take the Right Steps After a Firewall Breach
Van Wyk: Don't Just Write Your IR Plans, Test Them
Poll: Is It Better to Shut Down/Disconnect a Suspected Malware-Infected Device or Leave It Running?