A Weekend in Incident Response #14: Updated U.S. National Cyber Incident Response Plan Focuses on Capabilities Required to Respond to Significant Incidents

As part of its efforts to improve the country’s cybersecurity, the U.S.Department of Homeland Security has issued an updated National Cyber Incident Response Plan, specifically highlighting three key aspects:

• Responsibilities of government agencies and private sector organizations during a cyber incident
• Core capabilities required to respond to a significant cyber incident
• Coordinating structures and integration between the federal government and affected entities

The requirements in this plan apply to various types of cyber incidents, but are especially centered around significant cyber incidents that “are likely to result in demonstrable harm to the national security interests, foreign relations or economy, or to the public confidence, civil liberties or public health and safety of the American people.”

Responsibilities and Capabilities

The plan includes a list of responsibilities and capabilities all affected entities are required with regard to with incident response. The ultimate responsibility that affected entities have during a cyber incident is to take appropriate actions to manage the impact of the incident. This includes, but is not limited to: ensuring continuation of business or operational functions, disclosure and notification of the incident in accordance with legal and regulatory requirements, protecting privacy, and managing liability risk.

As far as capabilities are concerned, they encompass the following areas: forensics and attribution, infrastructure systems, intelligence and information sharing, public information and warning, screening search and detection, as well as cybersecurity, to name a few.

How to Respond and Comply with Requirements

In order to be able to comply with the above-mentioned requirements, the best thing that covered entities could do is adopt an incident response platform that can take care of all those tasks. As an example, an organization can obtain a platform that is able to predict, detect and respond to breaches automatically, allowing them to resume operations as quickly as possible.

They can track, predict, and visualize cybersecurity incidents, accelerating the process of resolving an incident. Importantly, utilizing an incident response platform assist in reducing legal and regulatory risks, on top of managing cybersecurity events. A platform like this can provide automated incident reports, which can be beneficial when required to disclose an incident andnotify authorities of it.

Another key capability of an incident response platform is that it allows controlled intelligence sharing with an organization or a community of your own choosing, which aligns with requirements in the National Cyber Incident Response Plan.

In summary; tracking digital evidence and forensic investigation are some of the critical capabilities provided by incident response platforms, which makes them an ideal solution for any entity that is required to comply with the updated National Cyber Incident Response Plan.

A Weekend in Incident Response #13: Can Smaller Banks Comply with New York’s Proposed Cyber Security Rules?

Back in September, 2016, the New York State Department of Financial Services proposed a set of cyber security rules aimed at improving security among financial institutions. If accepted, the proposed rules will make it mandatory for banks and other financial institutions, as well as insurance providers, to develop a cyber security plan, and appoint a CISO (Chief Information Security Officer), who would enforce that plan in case of a cyber security incident.

While the state’s intention with the proposal of these rules is to help protect financial institutions from cybercrime, with many of the affected organizations provisionally stating that they are in favor of them, there were many institutions that didn’t seem to welcome the new requirements. Smaller institutions were concerned that these requirements would become an unnecessary additional financial burden for them. However, there are solutions that could help make the implementation of these requirements more cost effective for all organizations, including the smaller providers of financial services.

Cybersecurity Programs and Policies at the Center of the Requirements

There are a few main areas encompassed in New York State’s Proposed Cybersecurity Requirements for Financial Services Companies:

● Establishment of a Cybersecurity Program
● Adoption of a Cybersecurity Policy
● Designation of a CISO, (Chief Information Security Officer)
● Third-Party Service Providers

There are some additional requirements for the cyber security programs that are supposed to include – among other things – written incident response plans for response to and recovery from cyber security events, and annual risk assessments of the integrity, confidentiality, and availability of information systems.

Incident Response Platforms

Though the proposed requirements appear to be too cumbersome, expensive, and difficult to implement for small financial institutions at first glance, there are affordable solutions on the market that can be adopted to address all the above cyber security rules. There are platforms providing an automated incident response and assist organizations in recovering from cyber security events quickly and efficiently. Incident response platforms are the most cost-effective solution that all regulated entities can adopt in order to adhere with the proposed requirements.

Such platforms are all-in-one solutions allowing for the identification of cyber risks and cyber security events, enabling recovery to normal operations, by performing automated forensics. Other capabilities include – determining the exact number of incidents that have occurred within a certain period of time and what has caused them. Additionally, there are incident response platforms capable of performing predictive analytics, allowing an organization to prioritize its response, resulting in reduced reaction time and significant financial savings.

Another important feature of an incident response platform is the ability to track digital evidence and create automated incident reports. They can be sent to an organization’s cyber security team.

Considering that every new state or federal requirement presents an additional burden for small banks and other financial services providers, these types of platforms are one of the rare solutions that will allow them to comply with those requirements without having to spend substantial amounts of money. These platforms automate the entire cybersecurity incident response and recovery process, effectively streamlining an organization’s cybersecurity plan in the most cost-effective manner.

A Weekend in Incident Response #12: How to Create Cyber Incident Recovery Playbooks in Line with New NIST Guide

When it comes to protecting your organization against cyber incidents, you can never be too careful. The methods and techniques employed by cyber criminals are becoming increasingly sophisticated with each passing day, requiring you to adapt and improve your cyber defense accordingly. One of the most important aspects of any type of protection against cyber attacks is the way you respond to and recover from current and past cybersecurity events. Cyber incident recovery playbooks as an integral part of an organization’s incident response strategy can go a long way toward reducing reaction times and restoring operations as soon as possible following an attack.

In this regard, it can be said that cybersecurity incident response platforms are necessary for every organization that needs to protect information and other assets that could be potential targets of cyber criminals. These types of platforms help businesses and government agencies stave off cyber attacks and recover from data breaches, and their usage is in line with recommendations by the United States National Institute of Standards and Technology (NIST). To make it easier for organizations to recover from various cybersecurity incidents as quickly as possible, the NIST constantly issues new and updated guidelines that represent a good foundation that organizations can rely on while developing their cyber incident response plans. The latest guide introduced by the NIST focuses on what organizations can do to make their recovery procedures and processes more effective and less time-consuming.

Efficient Risk Management

The Guide for Cybersecurity Event Recovery encompasses wide-ranging tips on how to create a best practices plan for making an organization’s system fully operational following a breach. One of the key points addressed in this guide is the fact that recovery is a crucial aspect of the broader risk management efforts within an organization, stressing that there are various solutions for bringing a system back online, but no matter the severity of the breach that brought the system down, every organization needs to be prepared to respond to these events in advance. To do that, organizations are advised to adopt detailed plans and cyber incident recovery playbooks for various types of cybersecurity incidents, so that they can reduce their reaction time and minimize the damage in the event of a data breach.

Playbooks are a central key to the Recovery Processes and Procedures

When it comes to recovery, the NIST guide basically states that every organization needs to focus on the development of recovery processes and procedures that are centered around playbooks, which would allow them to respond to different types of breaches in the most effective way.

Automated playbooks are considered to be a crucial tool for a successful recovery operation. Using a platform providing automated cyber security incident recovery playbooks increases the level of preparedness of your organization to quickly respond to cybersecurity events and recover from data breaches, ransomware, and other incidents. The guide advises recovery teams within each organization to run the plays with table top exercises so that they can be constantly aware of all potential risk scenarios and detect potential gaps in their response plans.

In addition to playbooks, the guide highlights the aspect of documenting current and past cybersecurity incidents as another important factor for improving an organization’s recovery capabilities. To that end, organizations should utilize a platform that includes automated playbooks and has the ability to track digital evidence and analyze the causes of cybersecurity incidents. Followed by an automated creation of extensive and detailed incident reports. A platform of this type is the best solution for a comprehensive cybersecurity incident protection, encompassing identification, detection, response, and recovery.