Why incident management may be the problem
If you’re reading this blog, odds are high that you don’t have to be convinced of the need to reduce the burnout resulting from working on a cybersecurity incident response (IR) team for even a short time. The only question is what to do about it.
I’m going to explain three key elements by which you can examine your organization’s unique situation and identify improvements to your cybersecurity incident management capability. Doing so will help with the team’s morale and effectiveness. These elements apply equally well regardless of whether you’re doing cybersecurity incident management in-house or have a managed services provider.
1. You need to reduce the needle stack.
If the job in IR’s to find “the” needle in a needle stack, then we need to reduce size of the stack itself. You need to look at the following levers.
Control misconfiguration and variance is by far the biggest vulnerability that attackers look for in every instance. In fact, this is one of the reasons that CrowdStrike in its 2019 Cyber Front Lines report lists Active Directory and OS configurations as the top 2 out of 3 mitigation techniques. At CyberMSI, we use Microsoft’s Configuration Score to identify and reduce misconfigurations, and it certainly helps to pick the low hanging fruit.
Risk-based threat and vulnerability (TVM) is another crucial lever that all cybersecurity teams emphasize yet many IT and business teams typically ignore—often without good justification. This is as much of a risk management and specifically a governance issue as it’s a technological one. You should address it such. Refer to an earlier blog of mine where I wrote how having an effective cybersecurity strategy can address these types of challenges. Remember most cybersecurity incidents happen because known vulnerabilities being actively exploited remain unpatched for weeks, months and sometimes even years.
The final lever is to actively consume threat intelligence that’s built into your TVM and other tools such as EDR and/or SIEM. Good threat intelligence enables you to focus your limited resources on incidents that matter, and the difference can be as big as navigating with the help of a GPS device instead of a magnetic compass.
2. Triage and escalate incidents correctly.
Organizations need to define their risk tolerance and severity classifications very carefully as part of the overall IR process. It’s important to recognize that different types of cybersecurity incidents require different classifications, severity and response procedures. Without this type of prioritization, you’re setting yourself up for frustration and failure.
Do you know what assets you’re protecting? Knowing what comprises your critical data and infrastructure is a must because it’s the major decision factor in classifying incidents. You also need to know what types of threats you’re protecting from, meaning your IR team needs to know its threat vectors. NIST provides a list of 7 common threat vectors that you can use as a comparison.
Taking stock of the criticality of asset, threat vector and the stage of the cyberattack, which you can determine using a model like The Cyber Kill Chain, enables you to systematically triage incidents. The benefit in the end is that your IR team members don’t triage a port-scanning incident the same as a malware infection affecting a customer database.
3. Automation’s our friend.
Security orchestration and automation (SOAR) products are soaring in popularity for good reason. SOAR products enable connecting disparate security technologies through standardized and automatable workflows that enable cybersecurity teams to effectively carry out IR activities.
If you’ve documented IR activities in a playbook, chances are pretty good that you can use SOAR to automate the whole thing. At CyberMSI, we use Microsoft Sentinel SOAR to automate several of our IR playbooks, including those for email phishing, IOC collections, and threat hunting.
Automation’s a game changer for cybersecurity, especially as it becomes more robust due to AI. Everyone’s talking about how AI’s going to replace humans in cybersecurity. That may happen in the future. However, it’s the greatest weapon we’ve in our arsenal as defenders for the foreseeable future, so let’s use it to make our lives more secure and easier.
In closing, I leave you with 3 questions to consider as you reflect on improving your team’s IR procedures:
- Does your incident management team receive regular information from IT on major changes to applications, infrastructure and network to avoid spending time gathering contextual information instead of responding to cyberattacks?
- Is the division of responsibilities clear between the IR and IT teams (e.g. shutting down a customer-facing website if it’s been compromised) to avoid unnecessary hand-offs?
- Does your IR team take the time to discuss, reflect and incorporate lessons learned afterwards or is it off to fighting the next wildfire?