Cyber security teams should learn from fire stations
Security leaders who care about solid incident response need to look beyond technology and develop institutional strength. This was the takeaway from a webinar on incident response hosted by Cloudflare earlier this month.
Joe Sullivan, chief security officer of Cloudflare, said: “The danger in our job is that we get so busy quantifying risk, and buying products and implementing solutions to reduce risk, that we forget to prepare for a crisis. We forget to build institutional strength about incident response. If you want to quantify risk, there are lots of tools out there. If you want to reduce risk, there are lots of security products out there. But there aren’t a lot of products and solutions that you can buy to help you respond well to an incident. If you want to build an institution that is strong at responding to incidents, it’s just going to take hard work on your team and on your part.”
Instead of remaining in reactive mode, Sullivan said security teams should learn from fire stations – even if one fire engine is out responding to a fire, there will be other engines in the station and other firefighters getting equipment ready for the next fire.
“The fire station is built for resilience,” Sullivan said. “It’s built to handle different types of fires, different levels of volumes of fires, any time of day and any type of situation. That’s what we need to have as our mentality as we build out a crisis response and incident response team inside a security organisation. We need to make sure we have the people, tools and processes ready for the different types of incidents that might come at us.”
If you want to build an institution that is strong at responding to incidents, it’s just going to take hard work on your team's and on your part.Joe Sullivan
It's easy to make a list of the things that could go wrong, but it’s harder to capture all of them and articulate which one is most likely to happen, Sullivan said. “There could be a vulnerability in your code, an employee’s account getting compromised through a phishing attack or even a multi factor authentication compromise, or somebody getting through your firewalls or launching a DDOS attack – you can think of a lot of different ways you can get attacked.
What you can’t always anticipate is what will happen as part of the attack. It might not just knock you offline, but it might also take away your ability to communicate internally inside the company. It might not just lead to an employee getting their account compromised – the attacker might move laterally into a different part of the company and you might not detect it for weeks or months, and then you have a lot of different things to respond to all at once. So, it’s good to focus on trying to predict the bad things that could happen, but it’s also important to prepare for eventualities that you might not have expected.”
He pointed to the components of solid incident response and noted that effective communications and expert third-party partners are important to quick response.
Arun Singh, director of product marketing at Cloudflare, said: “A disaster recovery and continuity plan must be tailored to security incident scenarios to protect an organisation from potential cyberattacks and to instruct how to react in case of a data breach. Furthermore, it can reduce the amount of time it takes to identify breaches and restore critical services for the business.”
Chad Toerien, customer development manager SSA at Cloudflare, said: “In Sub-Saharan Africa, we saw that some businesses struggled with their business continuity strategies during the COVID-19 lockdown. Critical infrastructure organisations are maturing in terms of having incident response and cyber security business continuity plans in place, but many other organisations do not.”
Local companies have been adopting an ‘instant digital transformation’ plan during the pandemic crisis, and there is a clear difference between the companies that are responding and those who are reacting, he said. “Those who are responding have their cross-functional ‘fire stations’ operational. Those who are reacting are rushing around trying to build the fire station.”
Toerien said it was important for organisations to get to grips with the risks and the industry partners who could help the business mitigate the risk and recover from attack. “It’s about getting yourself educated and aware, because usually the first gap is the information gap. Next, consult vendors in this space and build your portfolio of knowledge to find the best allies to support the organisation in the event of an attack, and then formalise the plan with these organisations.”
In work from home scenarios, Toerien said educating the workforce is crucial. “Organisations need to be starting with educating teams on cyber security best practice, through to educating them on how to use new tools. To maintain levels of awareness, an internal wiki on best practice could be made available. There are tools to carry out audits to understand where the vulnerabilities are, and whether people are following the right procedures,” he said.
He noted that it was also important for employees to be made comfortable about reporting any incidents or security concerns immediately.