SAN FRANCISCO -- When things go wrong in life, it's always good to have a few friends you can call. The same holds...
true for information security incident response teams, according to practitioners at the 2014 RSA Conference, who advised attendees to be sure internal and external partners are ready to respond well before an incident occurs.
During a panel discussion last week about preparing for and managing high-profile information security incidents, Bill Downes, vice president and chief information security officer for Connecticut-based The Hartford Financial Services Group Inc., explained that in the past 13 years, he has seen his firm's incident response team change dramatically.
Downes said the passage of numerous state data breach notification laws resulted in the group transforming from an IT-centric team focused on mundane threats like the ILOVEYOU virus, to a business-centric group that included representatives from data privacy, compliance, legal and investor relations.
"Today we're still good at identifying and putting out the fires," Downes said, "but those additional people enable us to make sure we're notifying clients and regulators if necessary, and complying with all the different state requirements."
More recently, he said the incident response team's activities have been tied to The Hartford-based company's larger crisis management program, resulting in a greater emphasis on preparedness exercises such as rapid-response communication drills and tabletop exercises to simulate potential incidents.
Speaking on the need for greater internal involvement, Rocco Grillo, managing director of incident response and forensic investigations for Menlo Park, Calif.-based incident response specialist Protiviti Inc., emphasized the importance of having corporate counsel participate on the enterprise incident response team to protect the organization's legal interests in the event of a major breach, particularly if it's clear law enforcement needs to be involved.
"Law enforcement doesn't want to hurt your reputation, but they'll do what they need to do to find the bad guys," Grillo said. "Before you turn control over to them, from a reputation standpoint, you need to know what messages are going out to the public, and the best way to control that is by having attorneys involved."
Though internal participation is vital, Roland Cloutier, vice president and chief security officer with New York-based ADP Inc., said having outside help at the ready is equally critical, especially for organizations such as his that have limited forensics resources internally. Cloutier noted he put pre-negotiated agreements in place with a variety of outside forensics providers around the world who can quickly provide support in the event of a major cybersecurity incident.
Cloutier also said technology plays a key role in incident response planning. He advised organizations to have response plans in place to address various types of incidents, from the smallest to the largest, and to use security and workflow management technology to automatically trigger notifications for certain participants and stakeholders, based on the type and severity of the incident.
"That way, when an incident does happen, the teams are simply going through their checklists," Cloutier said.
Cloutier even suggested having representatives from the sales and customer support teams participate. Such measures can enable key members of those teams to be prepared with pre-positioned statements, he noted, so they can more ably brief clients on exactly what happened and how the company is responding.
"The way the message comes across matters," Cloutier said. "If a client calls in with a question, and you haven't given [sales and customer support] specific statements to guide them, they'll be like, 'I didn't even know.'"
When is an incident actually an incident?
In today's complex business management landscape, even the process of defining and identifying an information security incident has become more difficult, and political.
Cloutier strongly recommended crafting guidelines for deciding which types of events should be considered major security incidents. He said the decision is easy in many circumstances, like obvious malicious activity, but many others, specifically various types of data leaks, are much more nebulous.
Pre-classifying security incident scenarios matters from a corporate governance standpoint, Cloutier said, because of the numerous legal, compliance and externally facing implications. Getting the CIO and general counsel to pre-approve the process for defining and dealing with certain types of incidents can accelerate the response process, he added.
Grillo warned that incident response teams should expect the unexpected, such as a vague call from a law enforcement agency.
"We've had clients get calls from law enforcement saying they have a problem, but they wouldn't tell them anything else," Grillo said. "In others, we've had clients who were notified by the media. The client didn't even know about it. That's an incredibly bad day."
More from RSA Conference 2014
See all of SearchSecurity's coverage of the industry's biggest annual event: http://searchsecurity.com/rsa2014
To avoid those scenarios, Downes said an organization should "normalize" its network, essentially creating a documented baseline of what constitutes normal activity on a day-to-day basis that IT and information security incident responders can use to help identify abnormal behavior. He added that it also helps to normalize key business processes related to information security.
"We had an incident where a rogue individual had enough information to go reset PIN numbers of our clients. But we had a process in place where if PIN resets occurred, we would send snail mail to our clients just confirming the change," Downes said. "Once we had a few people calling us up saying they didn't change their PINs, it was a cue to start digging into it from a forensics perspective."
Attendee Kathryn Saylor, director of the information technology evaluations division in the Office of the Inspector General of the United States, said the session helped her learn how to illustrate the importance of coordinating stakeholders in the incident response process. However, she said that in many organizations, bringing those people together is often easier said than done.
"You get outside of the IT security, and certainly the IT operations groups, and many people there don't have the understanding of the potential impact of an incident and how bad it can be," Saylor said. "It starts at the top. Executive leadership needs to have that understanding, but a lot of the time, even in the federal government, it's not easy to do."