What’s wonderful about all our security industry and specifically the products, is that we constantly see similar fancy dashboard reporting. These views focus on an abundance of information being displayed to aid users trying to correlate and make historical data relevant. It’s vital data but I don’t think this information is best placed in this scenario. I am going to focus on the perspective that is most relevant to myself, and that’s incident response. For incident response, historical data is relevant when you have a purpose to use it. Our main focus, within incident response, is to respond to incidents that are relevant right now.
We often focus on thinking outside the box and use examples from other business models in order to facilitate our own growth. I think this concept is common and serves its purpose for planning, but we must understand the purpose for which we’re trying to use this concept. I always laugh when I see a show of the morning which displays stock/indices information. I ask myself, who is next to implement that view in their security product? Considering this, I think it’s something we need to seriously think about. Is this information relevant for this purpose at this point of a cyber investigators journey?
Over-complicating and over-stimulating users with too much data can have the opposite effect of the desired consequence. You’ll lose value and purpose for this information and ultimately it can become another piece of background clutter that is easily ignored. Time is essential when dealing with any cyber security event, not only from a response standpoint but also an evidentiary gathering perspective. Orchestrating information at the correct time is just as important as responding to the incident itself. Evasion techniques, obfuscation, and piggybacking are just some of the thought processes cyber intruders will use. It’s extremely difficult to know when the right time will be for each individual case, however having an incident response platform to gather and display incident information is essential and following this information in a visual manner will prove effective to the war rooms.
An incident responder’s dashboard should be clear and concise. The investigator, analyst or stake holder should see information that can drive them to an action on a granular level. While this information may be different from organization to organization, the concept should remain the same. I do enjoy a good list, so here are some of the thoughts I have when planning a dashboard view:
– Active Cyber Incidents per business units and their priority, some people mention this as a health status. Either way the concept is the same. Which business units have incidents registered against them? What’s the priority of the incident? This should simply generate a % number and a color coding. Use RED, if major, Green is low priority and non-invasive tasks identified. The number should represent the inverse of incidents * by the priority raised
– Events identified by source, knowing which products are producing the most events is quite key in identifying if this source is doing its job or if the source could be configured differently
– Playbook stage number, time to close organized by priority.
Incident data is critical, and the general rule of thumb is more is preferable to not enough. However, given that the purpose is to understand the relevant data as it relates to current and future incidents, this simple technique ensures that your incident data feeds not only remain timely, but provide maximum value as well.
The United States Computer Emergency Readiness Team (CERT) has announced that it will implement new cybersecurity notification guidelines, which are going to have a significant impact on how government agencies and organizations from the private sector deal with cyber incidents.
As the US-CERT states, the new guidelines will impose new requirements regarding notifications on cybersecurity incidents, that must be complied with by all Federal Departments and agencies; state, local, tribal, and territorial government agencies; along with private-sector organizations, and Information Sharing and Analysis Organizations. The cybersecurity notification guidelines will include a specific procedure involving how, when, and who the covered entities will be required to notify after they detect an incident within their organizations.
Identifying Incidents Through a Seven-Step Process
According to the guidelines, in order for an agency to be able to notify the CERT of an incident properly, it will have to complete a process consisting of seven steps. For starters, the agency must identify the current level of impact an incident has on its services or functions. Then, identification of the type of information lost, compromised, or corrupted, is required. This step should be followed by an estimation of the scope of time and resources that an agency will have to spend in order to recover from the incident.
Next, agencies should identify when the activity was first detected, after which they will be required to identify how many systems, records, and users have been impacted. The final two steps are the identification of the location of the network the activity was observed in, and identification of the point of contact information for additional follow-up.
After completing the above-named steps, agencies will have to submit the notification to the US-CERT, with a specific set of information that is required to be included in the notification, such as:
- Information on the attack vector(s) that lead to the incident
- Indicators of compromise
- Information related to any mitigation activities that the agency has taken in response to the incident
Incident Response Platforms
In order to be able to comply with the new requirements regarding cybersecurity incident notifications, organizations are advised to employ a cybersecurity platform that provides a comprehensive and automated incident and forensic case management.
A platform that provides you with a set of playbooks specifically tailored to many potential cyber threats. Your organization can save a great deal of time and resources by using a tool that can create automated incident reports and send them to your cybersecurity team, a process which would be in compliance with the new US-CERT guidelines.
Considering that the cybersecurity incident notification process under the new cybersecurity notification guidelines is extensive and can be challenging for some organizations that do not have the resources or the knowledge necessary to complete it, acquiring a platform that can do all the required steps for you is the best solution for all entities covered by the guidelines. This is where a platform containing prioritized workflows designed to help your business respond to current threats and prepare your cyber defense systems for future threats, which are bound to occur eventually, can come in handy. Finally, considering the upcoming US-CERT guidelines, every private-sector organization and government agency could use a platform that can track digital evidence and entire investigative processes, as some of the key steps that should be performed when notifying authorities of an incident.