3 Best Practices for Incident Categorization to Support Key Performance Indicators

The DNA sequence for each human is 99.5% similar to any other human. Yet when it comes to incident response and the manner in which individual analysts may interpret the details of a given scenario, our near-total similarity seems to all but vanish. Where one analyst might characterize an incident as the result of a successful social engineering attack, another may instead identify it as a generic malware infection. Similarly, a service outage may be labeled as a denial of service by some, while others will choose to attribute the root cause to an improper procedure carried out by a systems administrator. Root cause and impact, or incident outcome, are just a couple of the many considerations that, unless properly accounted for in a case management process, will otherwise play havoc on a security team’s reporting metrics.

Poor Key Performance Indicators can blind decision makers

What is the impact of poor KPI’s? All too often the end result leads to equally poor strategic decisions. Money and effort may be assigned to the wrong measures, for example into more ineffective prevention controls instead of improved response capability. In a worst case scenario, poor KPI’s can blind decision makers to the most pertinent security issues of their enterprise, and the necessary funding for additional security may be withheld altogether.

Three best practices are required to address this all too common problem of attaining accurate reporting:

  1. A coherent incident management process is necessary in order to properly categorize incident activity. Its definitions must be clear, taking into account outliers, clarifying how root causes and impacts are to be tracked, and providing a workflow to assist analysts in accurately and consistently determining incident categorization.
  2. The process must be enforced to guarantee uniform results in support of coherent KPI’s. Training, quality assurance, and reinforcement are all necessary to ensure total stakeholder buy-in.
  3.  Security teams must have the technologies to support effective incident response and proper categorization of incidents.

There are several ways that the IncMan platform supports the three best practices:

First, IncMan provides a platform to act as the foundation for an incident management program. It provides customizable incident forms allowing for complete tailoring to an organization and the details it must collect in support of its unique reporting requirements. Custom fields specific to distinct incident types allow for detailed data collection and categorization. These custom fields can be coupled with common attributes to track specific data, thereby providing a high level of flexibility for security teams in maintaining absolute reporting consistency across the team’s individual members.

Next, playbooks can be associated with specific incident types, providing step-by-step instructions for specialized incident response activities. Playbooks enforce consistency and can further reinforce reporting requirements. However, playbooks are not completely static, and while they certainly provide structure, IncMan’s playbooks also offer the ability to improvise, add, remove or substitute actions on the fly.

The platform’s Knowledge Base offers a repository for reference material to further supplement playbook instructions. Information collection requirements defined within playbook steps can be linked to Knowledge Base references, arming analysts with added information, for example with standard operating procedures pertaining to individual enterprise security tools, or checklists for applicable industry reporting requirements.

IncMan also includes Automated Responder Knowledge (ARK), a machine learning driven approach that learns from past incidents and the response to them, to suggest suitable playbooks for new or related incident types. This is not only useful for helping to identify specific campaigns and otherwise connected incident activity but can also highlight historical cases that can serve as examples for new or novice analysts.

Finally, the platform’s API and KPI export capabilities enable the extraction of raw incident data, allowing for data mining of valuable reporting information using external analytics tools. This information can then be used to paint a much clearer picture of an enterprise’s security posture and allow for fully-informed strategic decision-making.

Collectively, the IncMan features detailed above empower an organization with the means to support consistency in incident categorization, response, and reporting. For more information, please visit us at https://www.dflabs.com

A Weekend in Incident Response #20: New Regulations on Reporting Cyber Security Breaches for New York’s Financial Institutions

Faced with the growing threat of cyber attacks and the challenges involved in recovering from various cyber security events, New York state’s authorities have rolled out new cyber security regulations that apply to financial institutions operating within the state. New York’s Department of Financial Services (DFS) has issued the final Cybersecurity Requirements for Financial Services Companies, affecting “Covered Entities”, defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, establishing a set of standards that have to do with reporting cyber security breaches to regulators, in addition to implementing specific cyber security policies.

Cyber Security Programs and Incident Response Plans

The new regulation aims to protect New York’s banks and insurance providers against cyber attacks, along with protecting sensitive consumer data. To that end, the rules – that went into effect on March 1 – prescribe a wide-ranging set of requirements for financial services companies in terms of specific steps they are supposed to take to be better prepared for cyber security incidents and how and when they must notify authorities of cyber attacks on their computer systems and networks.

According to the regulations, financial services companies are required to create a cyber security program that is expected to protect their information systems against cyber attacks. A covered entity’s cyber security program should be focused on identifying internal and external cyber security risks, detecting cyber security events, responding to detected cyber security events, recovering from cyber security events, and complying with reporting obligations.

As far as cyber security policies are concerned, covered entities are required to implement them in order to be able to address systems and network security, information security, data governance, customer data privacy, risk assessment, and incident response, among other aspects of cyber security.

Reporting Incidents

When it comes to incident response plans, the new rules state that reporting cyber security  incidents to regulators must be a paramount part of those plans. Regulated entities are required to confirm they gathered documentation regarding cyber security events and report them to various government and supervisory bodies, as part of their previously devised incident response plans.

Compiling documentation in reference to cyber security events, creating appropriate reports, and notifying authorities can be a tedious task for any organisation’s CSIRT. Companies can face tough consequences if they don’t complete the documentation in a timely and proper manner. Companies often require the solution of a cyber incident response platform that can generate reports on cyber security incidents automatically and in various formats, and is also capable of tracking and collecting evidence, helping their cyber security teams compile the required documentation faster and effortlessly.

These types of platforms also can also help companies’ CSIRTs predict and detect cyber security breaches and respond as fast as possible, which is one of the main capabilities the new cyber security regulations require from covered entities.

A Weekend in Incident Response #19: Reporting Cyber Security Incidents Fast and Easy with Automated Playbooks

Many organizations often complain about having to abide by strict regulations regarding government notification of cyber security events, claiming that such mandates only put them under an extra strain, in terms of increased expenses and unnecessary burden on their employees.

But, given that the risk of cyber attacks for many government agencies and private organizations across the world continues to grow, all activities that have to do with cyber security obviously need to be intensified, and notifying authorities, is one of the key parts of those efforts. Detailed and timely government notifications of cyber security events often play a crucial role in preventing future incidents and improving and upgrading current incident response plans and programs.

Why Notifications Are Important

While it is true that government notification of a breach can be a time-consuming and complicated process, it is safe to say that – on top of overall cyber security efforts – it is also beneficial to companies in terms of protecting themselves from potential legal liabilities and substantial financial losses, along with unimaginable damage to their reputation.

Laws that mandate reporting cyber security incidents to governmental agencies and law enforcement vary from one country to another, but what they all have in common is the requirement to notify individuals whose sensitive information has been stolen or misused, or accessed in an unauthorized manner, in addition to notifying the authorities.

Save Time and Comply with Regulations Through Playbooks

One of the best ways to make sure your company complies with data breach notification laws is to update your cyber incident response program to include an automation and orchestration platform with dynamic reporting capabilities.

You can save a lot of valuable time by utilizing such a platform, considering that reporting cyber security events involves a complicated procedure and encompasses several different processes that can take up a lot of your time if you don’t use the proper tools to do it.

A platform with reporting capabilities can take care of all reporting requirements automatically and ensure that you don’t waste time on determining what information needs to be disclosed and how to notify law enforcement in a confidential manner, without risking accidentally sharing sensitive information with the public or with a party or individual that is not supposed to have access to it.

These types of platforms are able to quickly and reliably notify authorities and affected individuals of a data breach as soon as it occurs, through a variety of secure channels. They can create automated reports of any incident, containing information that describes the incident in detail, including what type of data has been accessed by an unauthorized person, and the amount of data that has been stolen, deleted, or compromised in any way.

By relying on a cyber incident response platform that features automated playbooks for breach notifications, your organization will always be prepared for the unwanted event of falling victim to a data breach and will avoid the risk of failing to comply with regulations that have to do with reporting cyber security events to law enforcement and affected organizations or individuals.

A Weekend in Incident Response #3: U.S. Department of Defense Introduces Final Rule on Cyber Incident Reporting

On November 3, 2016, a new cyber incident reporting rule for Defensive Industrial Base (DIB) companies that are doing business with the U.S. Department of Defense (DoD) has gone into effect.

The final rule, recently published by the Office of the Chief Information Officer of the DoD, will implement requirements that all DoD contractors and subcontractors will have to comply with when reporting cyber incidents. It defines the mandatory cyber incident reporting requirements, which the Department of Defense says will apply to “all forms of agreement between DoD and DIB companies”. The agreements in question include contracts, grants, cooperative agreements, and any other type of legal instrument or agreement.

Adopting a Standard Reporting Mechanism

One of the goals of this rule is to establish a uniform reporting standard for cyber incidents on unclassified DoD contractor networks or information systems. Under this rule, DoD contractors and subcontractors will be required to report cyber incidents that result in “actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support“.

While it is interesting to see that every cyber incident is potentially subject to reporting, it’s also important to note that this rule changes the definition of Covered Defense Information (CDI). The rule states that it will now refer to any data in the Controlled Unclassified Information Registry that requires “safeguarding or dissemination controls pursuant to and consistent with law, regulations and Government-wide policies“ and is either marked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD in support of the performance of the agreement, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement.

Also, there is a new definition for covered contractor information system, which is now defined as “unclassified information system that is owned or operated by or for a contractor and that processes, stores, or transmits covered defense information.”

Using Incident Response Platform for Efficient and Quick Reporting

There is a lot of data and different types of information that go into a cyber incident report. While -on the technical side- there is an ongoing discussion on which taxonomy should be used for effective reporting, strategists are in agreement that creating a proper cyber incident report that complies with the above-mentioned requirements is not an easy task, and it might take a lot of time and resources to do it.

However, there are various solutions designed for this exact purpose, that can help contractors save a lot of time and money by automatically gathering all the necessary information following an incident and creating reports that can help during investigations.

For instance, all entities that the DoDs Final Rule on Cyber Incident Reporting applies to can get a lot of use out of a software with KPI report summary capabilities, creating information summaries for all incidents under previously specified user criteria.

Also, such a software should be able to create custom reports that can be invoked by the user, employing previously created custom templates, complying with most cyber incident reporting standards and requirements worldwide, not only in the United States.

Is the Existing Vendor Supply Chain Ready for This?

In general, I personally think there is still a consistent number of companies -that are part of the IT supply chain- which is not ready for such regulations. On the other hand, vendor risk management is quickly becoming part not only of the Government system but also of the business practice. So breach notification policies shall be globally followed as part of it. The main risk is that will be interpreted as a compliance task, not a security one. Thus, the real challenge will be creating value out of such compliance task. My personal experience suggests me that value can be created only in two ways: by providing the correct information (in a timely and standard manner) and by sharing them. Time will tell.