API: Incident Response Action Plan

Wednesday, November 12, 2014 @ 07:11 AM gHale


By Gregory Hale
The inevitable happens: The network is under attack, just what do we do now? If there is an incident response program in place, you just follow the plan.

“You do not rely solely on technology, you also need the people and process,” said David Brown, senior director of services enablement at Accuvent, during his talk during his Tuesday session entitled “Incident Response Management” at the 9th Annual API Cybersecurity Conference and Expo in Houston. “If you don’t use them, the technology tools are useless.”

RELATED STORIES
API: ‘Threat is Bad, Solutions Available
Cyber Center: Staying a Step Ahead
Security a Key to Company Growth
Data Breach Awareness on Rise

He was referring to the important part of security, which is relying on people, process and technology which is the main ingredient to an incident response program.

“You have to make sure you have the right people involved,” he said when presenting the plan to business leaders. “You have to have someone who can translate geek to business language.”

Nothing will turn off the executive side more than a plan, and document, that is purely technical and not understandable to them. “You have to make sure documents are readable and understandable,” he said.

In giving a simple scenario of an incident, Brown explained a basic form of incident management: Know who to report an incident to, tag the evidence, follow the path of an incident, understand the reaction and create remedies, find other entry paths, inform authorities, investigate, company reacts and manages the incident.

One of the most important aspects, he said, was after you create the plan, you just don’t put it on a shelf and let it sit there and collect dust. A company needs to test the incident plan and simulate incidents. “You need to plan a walk through, simulate incidents, do some tabletop exercises, and test the technology,” Brown said.

Creating the response plan remains a key element today because “attacks are getting more sophisticated, more frequent and malicious and the risks are evolving faster than clients can react,” said Daniel Soo, principal of cyber risk services at Deloitte & Touche, during his portion of the incident response session.

An interesting fact Soo brought up was the idea of insider attacks are growing, but the vast majority of assaults on systems (90 percent) comes from outside attacks.

A few other facts Soo pointed out were:
• 55 percent of external attacks were from organized crime
• 21 percent was state affiliated
• 2 percent was activists
• 1 percent was from former employees

In addition he said phishing was the attack that worked the best with 95 percent of state actors using to introduce an attack. “Phishing works,” he said.

When it comes to incident management, Soo said there are two types of users out there. “You have either been breached and you know about it or you have been breached and don’t know about it. That is why there needs to be an incident process in place,” he said. “How do I become resilient so once I am attacked I know what to do.”

When it comes to the oil and gas industry, what do threat actors look for? Soo asked. “They look for a competitive advantage to undercut, stealing bid information or strategic information insight.”

Peter Trahon, executive director at Ernst and Young’s fraud investigation and dispute services, agrees.

“The threats are out there and it is real,” he said during his portion of the session. “There are about a dozen countries out there that are strong nation states for cyber crime. Not just China. I would be shocked if (one of those countries) didn’t have plans taken from us.”

“Threats are increasing and so are the vulnerabilities,” he said. “The adversaries can exploit them much quicker than we can fix them.”

Trahon stressed some of the key elements behind an incident:
• Identify the real risks
• Protect what matters most
• Sustain your security program
• Embed security in the business

“The primary goal is to rapidly cut off the attacker’s access to the environment,” Trahon said. “But, if they don’t get what they want, they will be back.”



Leave a Reply

You must be logged in to post a comment.