Each year SANS conducts a global Security Operations Center – SOC survey to identify the latest trends, recommendations and best practices to enable organizations to successfully build, manage, maintain and mature their SOCs. With the continual increase in volume and sophistication of cyber attacks it is crucial that SOCs are performing as effectively and efficiently as possible to respond to all security alerts and potential incidents, as well as providing a clear benefit and ROI to the organization’s current security program.
This week SANS released the results of their 2018 survey and what they defined as “SOC-cess”! This blog will cover a quick snapshot of the report highlights and we will delve deeper into some of the results in future posts.
SANS 2018 SOC Survey Highlights
Regardless of whether you are a security analyst, a SOC manager or a C-level executive, I am sure there will be some key learning points and takeaways for you, with some of the results resonating with you and your organization. So, how does your SOC stack up against the 2018 survey results?
Here are the key findings.
- Only half of SOCs (54%) use any form of metrics to measure their performance
- There is a lack of coordination between SOCs and NOCs (only 30% had a positive connection)
- Asset discovery and inventory tool satisfaction was rated the lowest of all technologies
- The most meaningful event correlation is still primarily carried out manually
- Over half of respondents (54%) did not consider their SOC a security provider to their business
- The most common architecture is a single central SOC (39%)
- Nearly a third of SOCs are staffed by 2-5 people (31%) and just over a third by 6-25 people (36%)
- Top shortcomings to SOC performance included:
- – Shortage of skilled staff (62%)
- – Inadequate automation and orchestration (53%)
- – Too many unintegrated tools (48%)
What do these results actually mean? I am sure they can be interpreted in many ways. For me some results were not surprising, such as the shortage of skilled labor is the number one shortfall affecting SOC performance. However, some were quite startling, in particular surrounding the number of SOCs that do not use any form of metrics to measure performance – results indicating nearly half.
With the growing number of threats also comes a growing number of challenges, and today it just isn’t possible for SOC analysts to manually carry out everything that is needed to run the SOC effectively. Investment in technology seems to be a must to help improve efficiencies, but it needs to be the right technology for the organization. The survey results show a clear need for SOCs to invest further in tools such as automation and orchestration, which was identified as the second most common shortfall affecting performance at 53%.
Defining and Measuring SOC-cess
What is “SOC-cess” and how can we determine what an efficient and effective SOC is? SANS definition of SOC-cess is as follows.
“SOC success requires the SOC to take proactive steps to reduce risk in making systems more resilient, as well as using reactive steps to detect, contain and eliminate adversary actions. The response activities of SOC represent the reactive side of operations.”
I am sure it can be defined and is defined in a multitude of ways across different organizations, but metrics will always be a key factor. Of those SOCs surveyed, the top three metrics measured included:
- Number of incidents handled
- Average time from detection to containment to the eradication of an incident
- Number incidents closed in a single shift
Without these metrics, there is nothing to compare to or benchmark against to measure the overall performance and capabilities of the SOC and it will be difficult for management to justify any additional investment in additional tools or resources if the effectiveness and return on investment can’t be calculated or quantified. Therefore, measuring metrics should be a number one priority for any SOC to determine its success, not only by the 54% of SOCs that currently do so.
Summary of Findings
Overall the SANS 2018 SOC survey results indicated that there was somewhat limited satisfaction with current SOC performance with an absence of a clear vision and route to excellence. Also, survey respondents felt that their SOCs were not fulfilling expectations and many areas could still be improved, although there was an overall consensus of the key capabilities that they felt must be present within a SOC.
Compared to last year’s survey, the results showed a minor improvement; however, there are still many challenges facing today’s SOCs and the teams operating within them which need to be overcome.
There are though a number of things that can help to drive improvements and these include better recruitment and internal talent development, improved metrics to ensure the SOC is providing value to the organization, a deeper understanding of the overall environment that is being defended and better orchestration both with the NOC and SOC, using orchestration tools to drive consistency.
Overall, the existence of a functional and mature SOC is a critical factor in an organization’s security program to adequately protect the business from the ever-evolving threat landscape and SOCs will need to continue to work on improving what they already have in place.
How Can DFLabs Help?
A Security Orchestration, Automation and Response (SOAR) platform, such as that offered by DFLabs can not only help to tackle the orchestration and automation shortfalls as mentioned above, but can also help to tackle a number of other common SOC challenges and pain points, including the shortage of skilled workforce, the integration of tools, as well as measuring SOC performance metrics.
Ask DFLabs today how we can help you to transform your SOC with SOAR technology and request a live demo of IncMan SOAR in action to see more.
Enterprise networks are complex environments, with numerous components often under the control of teams outside the security team. During an incident, it is critical that respondents understand the network topology and have the most current network policy and device information available to them. Network documentation is often incomplete and out-of-date; security teams need a way to quickly and efficiently gather actionable network intelligence to effectively respond to a security incident.
This blog will cover some of the current challenges faced by security operations teams and how they can harness the vast amounts of network intelligence available, such as device, policy and path information, using Tufin as a case study. By integrating with Tufin Orchestration Suite, DFLab’s IncMan SOAR platform can utilize its R3 Rapid Response Runbooks to enable the collection of actionable network intelligence, along with its automation, orchestration, and measurement power to respond faster and more efficiently to security incidents.
There are three specific challenges that are common within any security operations center and analysts need to be able to find an effective and efficient way to solve them and obtain the information they need as quickly as possible.
- How can I get a current list of network devices?
- How can I get a current list of rules and policies?
- How can I determine the network path from source to destination?
The DFLabs and Tufin Solution
Tufin Orchestration Suite takes a policy-centric approach to security to provide visibility across heterogeneous and hybrid IT environments, enable end-to-end change automation for network and application connectivity and orchestrate a unified policy baseline across the next generation network. The result is that organizations can make changes in minutes, reduce the attack surface and provide continuous compliance with internal and external/industry regulations. The ultimate effect is greater business continuity, improved agility and reduced exposure to cyber security risk and non-compliance.
Tufin Orchestration Suite together with DFLabs IncMan SOAR platform provides joint customers with an automated means to gather actionable network intelligence, a task which would otherwise need to be performed manually, taking up valuable analyst time when every minute counts. This results in an overall decrease in the mean time to respond (MTTR) to a computer security incident, saving the organization both time and potential financial and reputation loss.
It provides a list of current network devices based on any number of criteria, a list of current rules and policies for any number of devices and is able to simulate network traffic from source to destination, including path and associated rules. Here is a use case in action to see exactly how!
Network traffic between a workstation and a domain controller has been identified as potentially malicious by the organization’s UBA platform. The UBA platform generated an alert which was forwarded to IncMan SOAR, causing an incident to be automatically generated. Based on the IncMan Incident Template, the following R3 Runbook was automatically assigned and executed to gather additional network intelligence.
The information gathering begins by simulating the network path between the source address and destination address of the potentially malicious network traffic. This information is gathered by two separate Enrichment actions, one which will display this information in a table format, and another which will display the same information in a graphic network path which can be exported and shared or added to reports.
As with information from any other IncMan Enrichment action, each network device on the path between the source address and the destination address is stored within an array which can be used by subsequent actions.
After the path information has been retrieved, an additional Enrichment action is used to retrieve information about each device along the path. This includes information such as device vendor, model, name and IP addresses.
Following the acquisition of the device information, two additional Enrichment actions are utilized to gather additional network intelligence. The first action will retrieve all rules for each network device along the path. Detailed information on each matching rule will be displayed for the analyst, allowing the analyst to assess why the traffic was permitted or denied, what additional traffic may be permitted from the source to the destination, and what rule changes may be appropriate. The second action will retrieve all policies for each network device along the path. Similar to the previous rule information, this information will allow the analyst to assess the configured network policies and determine what, if any, policy changes should be made to contain the potential threat.
Harnessing the power of Tufin Orchestration Suite, along with the additional orchestration, automation and response features of DFLab’s IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective response and reduced risk across the entire organization.
To see the integration in action, request a demo of our IncMan SOAR platform today.
At the heart of incident response, and by extension of Security Automation and Orchestration technologies, resides the Cyber Incident. A typical definition of a cyber security incident is “Any malicious act or suspicious event that compromises or attempts to compromise, or disrupts or tries to disrupt, a critical cyber asset”. Almost everything we do in a SOC or a CSIRT is based on incidents, and there are a variety of potential incident sources, for example:
- Alerts from cyber security detection technologies such as Endpoint Detection & Response or User Entity Behavior Analytics tools
- Alerts from Security Information & Event Management Systems (SIEM)
- Emails from ITSM or case management systems
- Website submissions from internal stakeholders and whistle-blowers
- Phone calls from internal users and external 3rd parties
This diversity of incident sources means that a solid SAO solution must offer a variety of different methods to create incidents. Regulatory frameworks also frequently mandate being able to originate incidents from different sources. DFLabs IncMan offers a rich set of incident creation options.
There are three primary ways to create incidents in IncMan, offering flexibility to accommodate a variety of incident response process requirements and approaches.
Option 1: Automated Incident Creation
We will feature automated incident creation in a more detail in a future post. In the meantime, I will show you the location of this feature.
Select settings menu, then head to the external sources:
You will see that under the external sources option there are 3 options available to use as sources to automate incident creation:
- Incoming events automation, for CEF/Syslog
- Incoming Mail automation, for a monitored email account
- Integrations, for all QIC integration components.
Automating incident creation supports a variety of filters to support a rules-based approach. In addition, it is also possible to create incidents using our SOAP API. Certified 3rd party applications use this mechanism to create incidents within IncMan, for example, Splunk.
Option 2: Manual Incident Creation
Click the incidents menu option, then click the + symbol selecting the incidents screen
Fill out all mandatory fields (these can be defined in the custom fields screen) then step through and complete the incident wizard to create the incident:
Once all relevant fields have been completed, click save and this incident will then appear in the incident view and apart of the queue you assigned in the details screen.
Option 3: Incident creation from source
Select an incident source for the incident you want to create, for example, a Syslog or CEF message, an Email, or a Threat intelligence source (STIX/TAXI, ThreatConnect):
In this screen, you can then convert this source item to an incident, or link the source to an existing incident.
In incident response, protecting against a targeted attack is like slaying the hydra. For those not familiar with what a hydra is, it is a multi-headed serpent from Greek mythology, that grows two new heads for every head you chop off. A determined attacker will try again and again until they succeed, targeting different attack vectors and using a variety of tactics, techniques, and procedures.
The Snowden and Shadowbroker leaks really drove this home, giving partial insight into the toolkit of nation state actors. What really stuck out to me was the sheer variety of utilities, frameworks, and techniques to infiltrate and gain persistence in a target. Without the leak, would it be possible to reliably determine that all of those hacking tools belonged to a single entity? Would a large organization with thousands of alerts and hundreds of incidents every day be able to identify that these different attacks belonged to a single, concerted effort to breach their defenses, or would they come to the conclusion that these were all separate, unrelated attempts?
Our colleagues in the Threat Intelligence and Forensic analysis industries have a much better chance to correlate these tools and their footprint in the wild – they may discover that some of these tools share a command and control infrastructure for example. A few did have at least an outline of the threat actor, but judging by the spate of advisories and reports that were released after the leaks, not very many actually appear to have achieved this to a great degree. The majority were only able to piece the puzzle together once equipped with a concise list of Indicators of Compromise (IoC) and TTP’s to begin hunting with.
“How does this affect me? We are not important enough to attract the attention of a nation state actor”
Some readers may now be thinking, “How does this affect me? We are not important enough to attract the attention of a nation state actor”. I would urge caution in placing too much faith in that belief.
On the one hand, for businesses in some countries the risk of economic espionage by-nation state hacking has decreased. As I wrote on Securityweek in July, China has signed agreements with the USA, Canada, Australia, Germany and the UK limiting hacking for the purpose of stealing trade secrets and economic espionage. However, this does not affect hacking for national security purposes, and it will have little impact on privately conducted hacking. These are also bilateral agreements, and none exist in other nations, for example, Russia or North Korea. For militarily and economically weaker nation states, offensive cyber security is a cheap, asymmetric method of gaining a competitive or strategic advantage. As we have seen, offensive cyber activity can target civilian entities for political rather than economic reasons, and hackers are increasingly targeting the weakest link in the supply chain. This means that the potential probability of being targeted is today based more on your customer, partner, and supply chain network, and not just on what your organization does in detail. Security through obscurity has never been a true replacement for actual security, but it has lost its effectiveness as targeted attacks have moved beyond only focusing on the most prominent and obvious victims. It has become much easier to suffer from collateral damage.
Cyber criminals are becoming more organized and professional
On the other hand, cyber criminals are becoming more organized and professional, with individual threat actors selling their services to a wide customer base. A single small group of hackers like LulzSec may have a limited toolbox and selection of TTP’s, but professional cybercrime groups have access to numerous hackers, supporting services and purpose-built solutions. If they are targeting an organization directly and are persistent and not opportunistic, it will be as difficult to discern that a single concerted attack by one determined threat actor is taking place.
What this means in practical reality for any organization that may become the target of a sophisticated threat actor, is that you have to be on constant alert. Identifying, responding to and containing a threat is not a process to be stepped through with a final resolution step – instead, cyber security incident response is an ongoing, continuous and cyclical process. Advanced and persistent attacks unfold in stages and waves, and like a war consist of a series of skirmishes and battles that continue until one side loses the will to carry on the conflict or succeeds in their objectives. Like trying to slay the hydra, each incident that you resolve means that the attacker will change their approach and that the next attempt may be more difficult to spot. Two new heads have grown instead of one.
To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT
To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT – but we must do this without creating a perpetual state of alarm. The former means that your team of analysts is always aware and alert, looking at individual incidents as potentially just one hostile act of many that together could constitute a concerted effort to exfiltrate your most valuable data, disrupt your operational capacity, or abuse your organization to do this to your partners or customers. In the latter case, your analysts will suffer from alert fatigue, a lack of true visibility of threats, and a lack of energy and time to be able to see the bigger picture.
The hydra will have too many heads to defeat.
In the Greek legend of Heracles, the titular hero eventually defeats the Hydra by cauterizing each decapitated stump with fire to prevent any new heads from forming. Treating an incident in isolation is the Security Incident Response equivalent of chopping off the head of the hydra without burning the stump. Applied to our problem, burning the stump means that we have to conduct the response to each incident thoroughly and effectively, and continue the process well beyond containment.
We must invest more time in hunting and investigating, and we have to correlate and analyze the relationship between disparate incidents. We must use threat intelligence more strategically to derive situational awareness, and not just tactically as a machine-readable list of IoC’s. This also requires gathering sufficient forensic evidence and context data about an incident and related assets and entities during the incident response process, so that we can conduct post event analysis and continuous threat assessment after containment and mitigation have been carried out. This way we can better anticipate the level of threat that we are exposed to, and make more informed decisions about where to focus our resources, add mitigating controls and improve our defenses. In Incident Response “burning the stump” means making it more difficult for threat actors to succeed in the future by presenting them with a hardened attack surface, reducing their reside time in our infrastructure, and reducing the time we need to discover and contain them. To do this we need to learn from every incident we manage.
Cyber criminals do not discriminate against anyone when it comes to their targets of choice. They go after whatever organization they consider to have a potential to yield substantial financial benefits, without taking into account that some of their exploits might even lead to international conflict or an environmental catastrophe of unimaginable scale.
Cyber attacks on critical infrastructures have become commonplace lately, threatening public health and safety, and deteriorating relations between countries. Having in mind how sophisticated and advanced these cyber threats are, it is no wonder that it is extremely difficult to detect and prevent all of them, so a proper cyber incident response plan that would help contain the damage and recover from an attack becomes a necessity.
Incident Response Solutions for Critical Infrastructure Sectors
Critical infrastructure is comprised of organizations from various sectors, including health care, energy, telecommunications, financial services, government, and transportation, among others. All businesses and institutions that are part of one of these sectors are potential targets for cyber criminals.
To improve their ability to mitigate cyber security threats more effectively, these organizations are advised to create a workflow-based incident response plan relying on automation and orchestration platform.
Benefits of a Workflow-Based Security Incident Response Plan
By utilizing an incident response platform that allows an orchestrated approach while automating certain routine and time-consuming tasks, organizations can greatly reduce reaction times of their cyber security teams, and start the recovery process as soon as possible.
A workflow-based platform, that incorporates a set of actions tailored to specific types of cyber attacks, allows security teams to go through all stages of an incident response quickly and effectively, by providing them with concrete steps that need to be taken based on the type and scope of an attack. Furthermore, based on the attack types, knowledge sharing articles could be associated with the incident for faster and more efficient resolving.
In addition to workflows, automation-and-orchestration incident response platforms can easily integrate with intelligence sharing platforms, allowing organizations to send and receive essential cyber security events information, improving their ability to prevent future attacks.
Cyber attacks on critical infrastructure are probably going to become even more common, so investing in an incident response platform with automation and orchestration capabilities would be of great help to organizations looking to enhance their cyber defenses moving forward. By doing that, they would also be contributing to efforts for preserving international peace and public safety.
While many institutions and businesses from various industries were still reeling from the WannaCry attack that took the world by storm back in May, cyber criminals launched another crippling ransomware attack earlier this week, catching a lot of cyber security professionals across 60 countries by surprise and bringing essential business operations to a halt.This latest high-profile attack, called Petya ransomware, bears many of the hallmarks of WannaCry, in that it is a typical ransomware scheme, paralyzing computers and spreading through internal networks after infecting one machine.
Another important similarity is that just like WannaCry, Petya exploited the same Microsoft Windows vulnerability – Eternal Blue, to spread within networks. On the other hand, there is one significant difference between the two attacks – Petya, unlike WannaCry, was not aimed at extorting money, but rather incurring serious damage to computer networks, with researchers saying that Petya was just disguised as ransomware, but its main goal was to spread throughout networks as fast as possible and cause the biggest infrastructural damages possible.
Containing the Damage
Petya ransomware was primarily designed to infect computers in order to prevent organizations from continuing their day-to-day operations, rather than gaining financial benefit, and the attack did affect business operations of many companies, inflicting severe financial and reputation damage upon them. Ransomware attacks are extremely difficult to prevent, and the best thing organizations can do to avoid serious long-term consequences in case they get hit by one, is to make sure they have the tools to respond to it and contain the damage as fast as possible.
That can be best done with the help of an incident response platform with automation and orchestration capabilities. These types of platforms can help security teams reduce their reaction time when responding to an incident, which is crucial when attacks such as Petya occur. With a set of playbook actions specific to ransomware attacks, an incident response platform will allow your team to detect and analyze the attack faster, and it will suggest a specific list of actions that can help contain the damage in the most effective way possible. When it comes to ransomware attacks, recommended containment actions include isolating compromised machines, blocking communication over ports, and disconnecting shared drives, among other things.
Once you have taken the suggested containment actions, the platform will help you accelerate the recovery and remediation processes, and perform the appropriate post-incident procedure. The post-incident reactions are particularly important when dealing with ransomware attacks, as they play a major role in ensuring compliance with breach notification rules covering these types of cybersecurity incidents, such as the HIPAA Breach Notification Rule in the US.
To conclude, even though preventing ransomware attacks is a major challenge and there is not much that organizations can do in that regard, there are a lot of things they can do to reduce the impact of such incidents and avoid long-lasting consequences, which are usually associated with these types of cybersecurity events.
Preparing for cybersecurity incidents and responding to them can be a significant burden for any organization. On a daily basis, most security teams will commonly deal with numerous cybersecurity events, many of which will trigger some number of resource-taxing and time-consuming tasks such as gathering and vetting information, analyzing data, and generating incident reports.
It is for this reason that every tool, every solution, and every procedure that can help ease that burden is often more than welcome. Implementing Standard Operating Procedures (SOP) is one of the essential steps towards ensuring a more streamlined and effective incident response process, one that allows security professionals to focus on the more substantial and high-value activities, such as in-depth investigations and implementing improvements in the overall incident response program.
Coordinating Incident Response
Standard operating procedures are aimed at helping CSIRTs to follow the most effective possible workflow when dealing with cyber security events. A typical SOP should contain a list of specific actions that that security professionals need to take whenever their organization faces a particular cyber incident. It ensures that all employees within an organization know their responsibility and what activities they need to take in the event of a cyber attack. For instance, an SOP might note at what point in the incident the CSIRT member is responsible for reporting data breaches to the Information Security Officer and where to submit incident reports in the aftermath of a breach. Further, the SOP might also state how to assign an incident severity level and where to distribute a list of recommendations or specific instructions on how to address a particular threat.
Another important aspect of a SOP is that it should ensure that all workflows and actions taken during incident response are in compliance with regulations that the organization is required by law to adhere to.
Orchestrate and Automate the Process
In order to be worthwhile and effective, cyber security teams and resources from an organization must adhere to SOPs and realize benefits from doing so. Some of the actions recommended or required by a SOP in a given situation may take up a large portion of the time and effort of a security team, so adopting a solution that can orchestrate and automate some of those tasks can go a long way towards realizing those benefits by saving time and cutting costs.
Security automation and orchestration platforms can programmatically handle some of those time-consuming manual tasks, such as generating and sending reports, thereby help drastically reduce reaction times. They can also help quickly determine the severity of an incident and the impact it has on an organization, freeing security resources to focus on the containment, eradication and recovery activities the sop standard operation procedure requires.
In summation, security automation and orchestration platforms are a crucial tool for ensuring a proper implementation of standard operating procedures as a key piece of the cyber incident response puzzle.
In the context of cyber security, two of the most pressing concerns facing many organizations are the ever-rising number of cyber attacks and figuring out how to keep them at bay without having to increase manpower. The recent Cyber attacks are now more sophisticated and noticeably more common than they were even just a few years ago. Faced with this increased volume, private entities and government agencies are struggling to figure out how to help their security teams respond to cyber events in an effective and timely manner, while finding that most potential solutions require either substantial financial expense, or rely on the addition of specialized human resources.
Hiring skilled staff is a real challenge for most organizations amid an acute and global cyber security skills shortage. Unmet demand has led professionals in this field to command disproportionately high salaries and made it that much more difficult for businesses and governments to attract cyber security talent. Consequently, organizations are now also forced to seek out technical solutions that might actually help decrease their reliance on specialized and expensive human resources. This is where cyber security incident response platforms come in as arguably the most convenient, practical and cost-effective solution to the growing cyber security threat issue and specialized resource shortage.
Ease the Strain on Security Teams by Automating Time Consuming Incident Response Tasks
A security automation and orchestration platform is the economical solution to enable an organization to respond to cyber threats and eradicate them in the most effective and fastest way possible. It is also the best way to ease the strain on security teams which, in many organizations, are already overwhelmed with an uninterrupted incident response workload.
Analyzing and assessing the legitimacy, impact and scope of a cyber incident are some of the most time-consuming tasks undertaken by cyber security professionals today. It is exactly within those tasks that an orchestration and automation platform can be of most service. From an incident identification and analysis perspective, these platforms are force multipliers which greatly accelerate the incident triage process. They provide an organization with the ability to analyze the cause and effect of each incident and to assess the scope and impact to an organization from any number of incidents at any given time. From a response perspective, and beyond their ability to automate response activity on existing security infrastructure, they can generate automated incident reports for distribution to in-house security teams, providing response and recovery resources with key insights into the scope and severity of an incident, thereby often dramatically reducing reaction times.
In short, the dual challenge of addressing a growing number of cyber attacks while maintaining an ability to mount an effective response within an existing cyber security team, is best tackled by employing an automation and orchestration platform. Deploying this tool as a force multiplier for both existing security infrastructure and human resources, allows security teams to offload the most intensive tasks and frees these professionals to focus on the more high-value areas of a cyber security threat response.
Critical infrastructure is always a common target of cyber criminals. Similar to other countries, the Department of Defense (DoD) is a crucial part of the critical infrastructure in the United States, and as such, it is often exposed to various types of cyber attacks. Not only the Department itself, but its contractors are also under various cyber security threats. That is why the DoD is tightening up the requirements related to the cyber security of its contractors and subcontractors, in an effort to prevent cyber attacks on some of the key components of the nation’s critical infrastructure and protect classified information that is of major geopolitical and strategic importance.
As part of those efforts, the DoD issued a Final Rule aimed at better protecting covered defense information, applying to the Department’s contractors and subcontractors, in October of 2016. Most notably, the final rule revises the “Cloud Computing Services” and the “Safeguarding Covered Defense Information and Cyber Incident Reporting” clauses, referring to the way how contractors and subcontractors are required to handle covered defense information and report cyber incidents to authorities.
How Can Contractors Overcome the Challenges Involved in Mandatory Compliance with These Regulations?
As soon as the final rule was announced, many contractors doing business with the DoD expressed their concerns that the companies included in their supply chain will not be able to achieve full compliance with it before the December 31, 2017 deadline. Their grievances had to do with the clauses requiring contractors and subcontractors to notify the Department of Defense of a cyber security incident within 72 hours of it occurring, as well as some processes related to investigation and documentation of incidents.
The problem that the contractor and subcontractor communities have with these clauses is that they are expected to incur significant additional expenses for their businesses and require hiring additional human resources.
Avoid Increased Costs and Save Time with Just One Incident Response Platform
While the concerns that contractors have expressed regarding this rule are well founded, there are solutions that could help them avoid those potentially significant costs increases, while still ensuring complete compliance with these strict regulations.
One of the possible solutions is utilizing an automation-and-orchestration platform, providing complete case management for cyber security events. By using such a platform designed for fast and effective incident response, contractors and subcontractors will be able to notify authorities of any incident they detect in a timely manner, and collect and keep the required documentation that is required in the later stages of a future investigation.
Incident response platforms can track digital evidence for forensic investigation, along with keeping track of all actions taken by an organization’s cyber security team during an incident response process. On top of that, they can automatically create incident reports containing information that allow your cyber security teams to assess the current status of an incident, what has caused it, and the scope of the damages. With this capability, organizations can have a peace of mind that they will always be covered in case they suffer a cyber security breach. Understanding that they could now rely on an incident response platform to take care of the reporting and notification requirements included in the Department of Defense’s final rule on safeguarding covered defense information and cyber incident reporting.
What’s wonderful about all our security industry and specifically the products, is that we constantly see similar fancy dashboard reporting. These views focus on an abundance of information being displayed to aid users trying to correlate and make historical data relevant. It’s vital data but I don’t think this information is best placed in this scenario. I am going to focus on the perspective that is most relevant to myself, and that’s incident response. For incident response, historical data is relevant when you have a purpose to use it. Our main focus, within incident response, is to respond to incidents that are relevant right now.
We often focus on thinking outside the box and use examples from other business models in order to facilitate our own growth. I think this concept is common and serves its purpose for planning, but we must understand the purpose for which we’re trying to use this concept. I always laugh when I see a show of the morning which displays stock/indices information. I ask myself, who is next to implement that view in their security product? Considering this, I think it’s something we need to seriously think about. Is this information relevant for this purpose at this point of a cyber investigators journey?
Over-complicating and over-stimulating users with too much data can have the opposite effect of the desired consequence. You’ll lose value and purpose for this information and ultimately it can become another piece of background clutter that is easily ignored. Time is essential when dealing with any cyber security event, not only from a response standpoint but also an evidentiary gathering perspective. Orchestrating information at the correct time is just as important as responding to the incident itself. Evasion techniques, obfuscation, and piggybacking are just some of the thought processes cyber intruders will use. It’s extremely difficult to know when the right time will be for each individual case, however having an incident response platform to gather and display incident information is essential and following this information in a visual manner will prove effective to the war rooms.
An incident responder’s dashboard should be clear and concise. The investigator, analyst or stake holder should see information that can drive them to an action on a granular level. While this information may be different from organization to organization, the concept should remain the same. I do enjoy a good list, so here are some of the thoughts I have when planning a dashboard view:
– Active Cyber Incidents per business units and their priority, some people mention this as a health status. Either way the concept is the same. Which business units have incidents registered against them? What’s the priority of the incident? This should simply generate a % number and a color coding. Use RED, if major, Green is low priority and non-invasive tasks identified. The number should represent the inverse of incidents * by the priority raised
– Events identified by source, knowing which products are producing the most events is quite key in identifying if this source is doing its job or if the source could be configured differently
– Playbook stage number, time to close organized by priority.
Incident data is critical, and the general rule of thumb is more is preferable to not enough. However, given that the purpose is to understand the relevant data as it relates to current and future incidents, this simple technique ensures that your incident data feeds not only remain timely, but provide maximum value as well.