CISO strategies and tactics for incident response
Discover more about CISO strategies and tactics used in incident response and how the mindset of incident response has evovled
Add bookmarkCISO strategies and tactics
While the world continues to adapt and change, cyber security executives remain constant. Tried and true methodologies still apply and decades of work still measures up to most threats. CISO strategies and tactics for incident response features some familiar thinking, but many CISOs have unique thoughts, strategies, tactics and methodologies in the advent of the digital acceleration.
How incident response mindsets have changed over the past three to six months
Eliminating unnecessary legacy systems
As continued distributed work now is now inevitable, there is a fresh opportunity to discover end-of-life scenarios for legacy systems. One way to make your security technology stack more progressive is to cut your technology debt. With the ability to now see roughly twelve months into the future, it is easier to see what technology is expendable.
Realizing distributed continuity
Moving to a distributed workforce has provided unexpected gains for the enterprise. With the elimination of commute times as well as the removal of in office, ad-hoc offline conversations, productivity has ioncreased.
“By having the workforce remote and locked in, we have this unique amount of continuity that is really beneficial to the team. We are not distracted by the things of the office and that allows us to get through the processes and get to the reporting and mitigation stage as fast as possible.”
Bob Turner
Chief information security officer, University of Wisconsin-Madison
Setting board expectations and preparation
For a CISO to set board expectations to include a global pandemic in Q4, 2019 would have been a stretch to say the least. Now, global boardrooms are prepared for a global-scale disruption. With that level of disruption being conceived, taking the opportunity to ensure that the boardroom is prepared for your next major breach is more straightforward. From there, during actual incident response, manual processes will be different and socialization of recovery times will be different.
“At this point, if we do suffer a major cyber breach, the board is prepped. We are diligent with our backups, and how we manage backups to the point where we still have an offsite mechanism. Our incident response dictates having manual processes, while we do the recovery and then socializing recovery times with the business so that we set the expectation.”
Jeff Campbell
Chief information security officer, Horizon Power
Legal ramifications
“The recent incident involving Capital One and the ensuing litigation has changed the thinking of a lot of CISOs on how to approach incident response. If you have your incident response team produce a report and it is disseminated widely, that the attorney-client privilege is no longer a meaningful designation under discovery."
Kayne McGladrey
Senior Member, Institute of Electrical and Electronics Engineers (IEEE)
The biggest key for incident response strategy moving forward
Flexible operationalizing of new timelines
Long-term forecasting had been truncating for years leading into the pandemic. A long-term forecast at this moment is one-year. As that recalibration of time has been to an exponentially shorter-term, systemized thinking should perhaps be applied. Incident response work must be operationalized despite a distributed workforce.
“We are planning to keep working like this for the foreseeable future. That means having that resiliency at home, having that resiliency of your teams at home, or wherever they work from. So, we have had to be more flexible in our plans."
Tom Kartanowicz
Regional chief information officer - Americas, Commerzbank AG
Involving the value chain
Incident response now encompasses third parties which means responsibility for everyone in the value chain. Not having visibility into each section of the value chain brings inherent vulnerabilities and risks, especially in the case of a cyber attack or third-party data breach.
“Let’s say our data gets fully encrypted and we cannot get it back. We refuse to pay the ransomware. Can we lean on our suppliers to actually get us new hardware?”
Jeff Campbell
Chief information security officer, Horizon Power
Gaining greater visibility
For incident response to be effective, companies must have visibility over their networks. Networks are now an infinitely distributed patchwork of unapproved routers that provide access to home internet of things (IoT) devices and more. Considering such fertile threat ground, some new tools simply must be put in play.
“We have some very strong automated response tools that block and tackle threats for us. This means we have greater visibility into our network. So, even if something does not have an agent on it, when we detect changes in patterns of traffic, we are alerted to that before it becomes something bigger.”
Lisa Tuttle
Chief information security officer, SPX Corporation
New tactics in incident response
Attaining remote hygiene
Business continuity plans ensure that, in theory, enterprises was prepared for a natural disaster in theory. If an incident occurs during an actual natural distaster, however, the network must have remote hygiene for the business continuity plan to work and to ensure the network remains secure.
“Whether it is an alternate cloud provider, an alternate VOIP provider or sending supplies by post office or FedEx so people have the incident response plan in their remote work location, remote hygiene is critical.”
Tom Kartanowicz
Regional chief information officer - Americas, Commerzbank AG
Five key incident response questions moving forward
- How well instrumented are we to deal with a breach when there is no perimeter anymore?
- Are you capable of getting the data from end points, whether you control them or not?
- Are employees educated in incident response from the start of their employment?
- How does your company deal with the forensics and clean up following a cyber security incident?
- Have you done a remote incident response test; do you know how to get in touch with the relevant teams even when not in office?
Sam McLane
Chief technology services officer, Artic Wolf Networks
Also read: CISO Considerations for managed XDR investments
Adapt to the changing risk landscape
AS technology progresses, so too will threats against that technology. Companies should consider how risks and the threat landscape are changing and amend their incident response playbook accordingly.
Making it personal
There is an opportunity to increase time spent on mitigating incidents to limit the necessity of spending time on incident response. Staying in front of communications is key to mitigating phishing attacks. Putting time and energy into fortifying that security is essential, rather than wondering about the potential risks of home networks.
“People do not necessarily understand how to configure their routers or how to change a default password. So, we are trying to sell the win of how changing the router security helps them and their family, as well as the company.”
Lisa Tuttle
Chief information security officer, SPX Corporation
Engaging in pre-attack response through threat hunting
Incident response now involves the entire enterprise value chain. Involving the entire enterprise value chain on the ‘cyber range,’ where large swaths of enterprise partners and stakeholders can jointly experience an attack, can help test preparedness in a simulated environment.
“It is involving not just the technical people, but HR, legal, your executives and doing these full day or multiple day exercises. It involves that value chain. Having staff understand what they are looking for in the cleanup, and even pre-attack is really important.”Jeff Campbell
Chief information security officer, Horizon Power
Eliminating repetition and focusing on intuition
Global corporate enterprise cyber security executives are privy to hype. First generation SIEM tools came with a substantial amount of promise, but the payoff did not equate. While SIEM solutions have progressed and SOAR solutions gain steam, the entire cyber artifical intelligence (AI) solutions set is not missing out on talking the talk. There are cyber security automation solutions on the market, however, that do provide equitable bang for the buck.
“The reason AI solutions are exciting is not because the technology is exciting but because it saves analysts time. This means instead of doing the mundane things, they can focus on intuition and on making intelligence out of data.”
Kayne McGladrey
Senior member, Institute of Electrical and Electronics Engineers (IEEE)
CISO focuses outside of incident response technology
All things are now technology
The cloud has expanded the perimeter exponentially. Additionally, the IoT is bringing operational technology (OT) online, further complicating the perimeter. If everything from a human to a vending machine is technology that can be attacked, the posture of the enterprise has to adapt.
“Where our manufacturing plants were previously completely separate, now things are all connected. We are considering how we manage authentication of people, of our distributors and even devices as we are doing more connected products. That is a big, long path.”
Lisa Tuttle
Chief information security officer, SPX Corporation
Security awareness
If there is one phrase that is shared more often than any other in the cyber security space, it is security awareness. The weakest links in any enterprise cyber security are humans.
“The first thing to tackle is awareness, e.g. making sure that your user understands your acceptable use policies and the risks of mingling systems.”
Kayne McGladrey
Senior member, Institute of Electrical and Electronics Engineers (IEEE)
“It is a mixture of trying to instill the culture, trying to instill the awareness, enabling folks, empowering folks, through cyber security.”
Dennis Leber
Chief information security officer, The University of Tennessee HSC
Security culture and communication
Awareness is simply the first step. Infusing the organization with a cyber security culture and consciousness is the ultimate goal.
“It is about making incident response part of an automatic reaction and ensuring there is a cyber security culture. For example, if a staff member accidentally clicks on a malicious email, making sure they automatically know what to do next. That is bringing incident response forward.”
Jeff Campbell
Chief information security officer, Horizon Power
Remote table tops
"It comes back to the procedures and policies. It is the muscle memory, it is testing. Last year we were doing tabletops. This year, we are doing a few fully remote tabletops. We might have to test out a scenario based on remote failure, based on our key people not being available. In addition, we are altering our tabletop exercises, doing them more frequently. We have to practice, practice, practice and adjust to this new reality."
Tom Kartanowicz
Regional chief information officer - Americas, Commerzbank AG
"When you have so many different ways to communicate, confusion is caused by different tools that do not exactly align as far as capabilities go. When you are shifting back and forth on a regular basis, you have to worry about configuration every time you enter the room."
Bob Turner
Chief information security officer, University of Wisconsin-Madison
How will incident response evolve over the next year?
Good hard questions will help us change for the better
“Asking difficult questions has always been one of the hardest things. Perhaps it is difficult to influence technology teams. It is more difficult to influence peers and business leaders in a way that makes them want to be a partner. Security cannot be a silo. It has to be what is best for our business. If we are not talking to each other, we are not going to get there.”
Lisa Tuttle
Chief information security officer, SPX Corporation
Distributed capabilities will be changed for the better
“We need to really evaluate, are we being as efficient as possible when we are communicating? Are we being as efficient as possible when we are doing incident response? As we do this, we are finding out an awful lot about our people, our tools and our processes that are going to be more improved by the time we get to this point next year.”
Bob Turner
Chief information security officer, University of Wisconsin-Madison
Automation orchestration can change for the better
“In the future, there will be a lot of orchestration automation, but we will still require individuals with the skill set to understand the technical aspects. Over the next 12 months, we are going to see a rapid maturity in that space, to the point where we will start to know what normal looks like, automatically.”
Jeff Campbell
Chief information security officer, Horizon Power
Human nature will remain the same
“Even before the internet, even before technology, there has always been another human trying to scam another human. It is never going to change. Cybercrime has now surpassed the report of physical crimes because it is more lucrative, it is easier to do, and you can do it from anywhere in the world. So that will stay the same. They are going to keep hacking; they are going to keep attacking. We will keep doing our best to get in their way.”
Dennis Leber
Chief information security officer, The University of Tennessee HSC
Also read: Automating enterprise cyber security report