teissTalk: Leading incident response and crisis simulations

Views on news

 

The XDR: Redefining the future of cybersecurity study found that the average SecOps team has to manage 51 incidents per day, with 36% of respondents claiming they deal with 50 to 200 daily incidents. Part of the problem is the siloed nature of security and detection and response systems, the study claimed.

 

Separate studies have highlighted the physical and mental toll security breaches resulting in revenue loss can take on SecOps analysts, with 70% of first responders feeling so stressed outside of work that they are unable to switch off or relax and are irritable with friends and family.

 

Meanwhile, there is an emerging trend, agile incident response, where if you follow a cycle, you can avoid the pitfall of a siloed response.

 

A high percentage of the 50-200 incidents are, however, minor ones and can be remediated automatically. Alerts that are contained can be decategorized and sent to the service desk.

 

Today the integration of digital products is easier than before, especially in cloud environments, thanks to SIMs that can plug in and get telemetry and log-in data from all the different systems (Office 365, HR, medical etc.) to monitor behaviour patterns and send alerts when there are anomalies.

 

What also helps integration is that vendors of different systems have recently embraced information sharing protocols, as well as the increasing popularity of SOARS, which integrates all the tools, systems and applications within an organization’s security toolset and then enables the SecOps team to automate incident response workflows.

 

Running simulations and putting back lessons learnt into the IR playbook

 

De Montford University has developed SCIPS (Simulated Critical Infrastructure Protection Scenarios), a table-top exercise in which participants take on a predefined senior executive role, and teams are required to balance a limited investment budget against competing market, corporate and personal priorities.

 

Another approach is to consult with clients in order to put together a scenario that is directly applicable to them and condensing these into exercises of incidents that are the most likely to happen to them in the near future. Simulations are usually not longer than a working day, with about 3 shorter scenarios that participants need to solve without any assistance.

 

As simulations involve a lot of people (not just your IR but also legal, HR, finance teams etc.), it may be unviable to just spring the tabletop exercise on them.

 

However, they mustn’t know anything about the exercise itself beforehand. Ideally, these exercises should be organised quarterly, but in reality, they are typically annual. You should also plan how your teams communicate when the corporate communication system, slack or zoom, is down designing a phone tree.

 

The panel’s advice

 

An hour of training on internal organisational techniques such as how to distinguish facts from assumptions, suspicions and trash (referred to as FAST in the STORM Guidance lingo) will most probably improve the effectiveness of the simulation.

 

Unless your organisation has a comprehensive playbook, it will be very stressful to respond to a real incident when it hits.

 

Check out Theema, a crisis-proof business messenger that allows a company to maintain communication and continue regular business operation during a cyber attack while having full administrative control over it.

 

Watch it on-demand here.