In this session we will review the new demands on Information Security Teams and how they manifest in their Cyber Incident Response Plans (CIRPs). We will touch upon “actionable” plans, that align with the business while addressing Board of Director concerns; Discuss the new player: Cyber Insurance, and the wide range of external obligations facing organizations today.
1. The New Era of Incident
Response Planning
Are you protecting the business or simply securing the
enterprise?
2. Agenda:
• Introduction
• BOD Concerns
• Business Risk and the Consequences
• Actionable Planning
• External Reporting Obligations
• Cyber Insurance
• Q&A
3. 3
Dell - Internal Use - Confidential
Classification: //SecureWorks/Confidential - Limited External Distribution:
Introduction
• 20+ year IT career as a systems programmer, IT consultant, technical manager & IT sales
• 30 + years as a Marine Corps reservist obtaining the rank of Lieutenant Colonel
– Post 9/11 ~4 years active duty as an Information Warfare Officer working at the US Strategic
Command, the Pentagon, and the National Security Agency (NSA)
– Five years with US Cyber Command
• Managed the Information Security Operations / Threat & Vulnerability Management for a Fortune 100
Corporation:
– International Staff
– security patch remediation, vulnerability scans & remediation, penetration testing, system
configuration monitoring & remediation, maintaining the various Computer Incident Response
Plans (CIRP), and an active threat portfolio for key business functions, users,
applications/platforms and persistent vulnerabilities
• Board of Directors of the San Francisco Bay Area / Silicon Valley chapter of the FBI’s Infragard program
• BS in Computer Science, an MBA, and a CISSP
5. 5
Dell - Internal Use - Confidential
Classification: //SecureWorks/Confidential - Limited External Distribution:
Risk = a Vulnerability that is exploited by a Threat, which manifests into a Consequence
It’s All About Business Risk
• Up until you are breached, the standards of due care are still fairly nebulous
• Once you have a breach, the expectations of your organization are clearly defined and backed
by numerous regulators eager to show their constituencies that they mean business, this is a
major concern for your board of directors
While most organizations have
threat and vulnerability
management programs; very few,
if any, have consequence
management programs.
However, consequences are the
focus of the board.
6. 6
Dell - Internal Use - Confidential
Classification: //SecureWorks/Confidential - Limited External Distribution:
Taken from a real Annual Report (SEC 10-K)
Board of Director Level Concerns
• If we suffer a cyber-security event we may lose customers, lose future sales, experience
business interruption and injury to our competitive position, and incur significant liabilities, any
of which would harm our business and operating results
• Disruptions in our services could damage our customers’ businesses, subject us to substantial
liability and harm our reputation and financial results
• If we lose key employees or are unable to attract and retain the employees we need, our
business and operating results will be adversely affected
• Privacy laws and concerns, evolving regulation of cloud computing, and the changes in laws,
regulations and standards related to the Internet may cause our business to suffer
• Our intellectual property protections may not provide us with a competitive advantage, and
defending our intellectual property may result in substantial expenses that harm our
operating results
7. 7
Dell - Internal Use - Confidential
Classification: //SecureWorks/Confidential - Limited External Distribution:
Part one of the actual narrative
Understanding the Consequences
Our operations involve the storage, transmission and processing of our customers’ confidential,
proprietary and sensitive information, including in some cases personally identifiable information,
protected health information, proprietary information and credit card and other sensitive financial
information. While we have security measures in place designed to protect customer information
and prevent data loss, they may be breached as a result of third-party action, including intentional
misconduct by computer hackers, employee error, malfeasance or otherwise, and result in
someone obtaining unauthorized access to our customers’ data or our data, including our
intellectual property and other confidential business information. A security breach or
unauthorized access could result in the loss or exposure of this data, litigation, indemnity and
other contractual obligations, government fines and penalties, mitigation expenses and other
liabilities. Additionally, the cost and operational consequences of responding to breaches and
implementing remediation measures could be significant.
8. 8
Dell - Internal Use - Confidential
Classification: //SecureWorks/Confidential - Limited External Distribution:
Part two of the actual narrative
Understanding the Consequences Cont’d
Computer malware, viruses and hacking and phishing attacks by third parties have become more
prevalent in our industry, have occurred on our systems in the past and may occur on our systems
in the future. Because techniques used to obtain unauthorized access to or sabotage systems
change frequently and generally are not recognized until successfully launched against a target,
we may be unable to anticipate these techniques or to implement adequate preventative
measures. As cyber-security threats develop and grow, it may be necessary to make significant
further investments to protect data and infrastructure. If an actual or perceived breach of our
security occurs, we could suffer severe reputational damage adversely affecting customer or
investor confidence, the market perception of the effectiveness of our security measures could
be harmed, we could lose potential sales and existing customers, our ability to deliver our
services or operate our business may be impaired, we may be subject to litigation or regulatory
investigations or orders, and we may incur significant liabilities. We do not have insurance
sufficient to compensate us for the potentially significant losses that may result from security
breaches.
9. 9
Dell - Internal Use - Confidential
Classification: //SecureWorks/Confidential - Limited External Distribution:
New Age of Incident Response
Incident CommandThe OODA loop
• Senior Mgmt. Reporting
• Decision Making
• Battle Rhythm
• Scribe
• Task Management
• Assumption Tracking
• Third Party Coordination
Technical
Actions
Supporting
Actions• Threat ID
• Threat Intelligence
• Threat Monitoring
• Threat Mitigation
• Threat Containment
• Threat Eradication
• Forensics
• Law Enforcement Liaison
• Evidence Collection/Mgmt.
• Vulnerability Mgmt.
• Key Asset Protection
• Brand Reputation Protection
• External Obligations
• Litigation Preparation
• Business Impact Mitigation
Fog of War Friction
Center of Gravity
The Ad Hoc
Organization
during Crisis
Anticipation,
Collaboration &
Research
Requirements
Driven Execution
Maintaining the
Initiative
10. 10
Dell - Internal Use - Confidential
Classification: //SecureWorks/Confidential - Limited External Distribution:
If your CIRP was for your daughter’s wedding – would she ever talk to you again?
Actionable Planning
• Addressing the strategic risks of the organization
• Make “your” plan an “our” plan
• Socialized / vetted by the organization
• IT focus versus ‘business’ focus
• WHO (resources) will do WHAT (requirements), HOW (playbooks/Procedures) & (Research); WHY
(aligned with Business Objectives – Consequence based)
• Defined Decision Making process to make “Business Impacting” decisions
• Vendors ready to go
• Updated quarterly
• Tested at least annually
• Mature “Lessons Learned” process
11. 11
Dell - Internal Use - Confidential
Classification: //SecureWorks/Confidential - Limited External Distribution:
Statutory, Contractual and just being a good business partner
External Reporting Obligations
• PCI is a contractual reporting obligation
• HIPAA is a statutory reporting obligation
• Almost every State has a statutory reporting obligation
• If you connect to someone else or share data, you have a reporting obligation (TPSA)
• Public Company: Obligation to notify shareholders of a “material” event
• “Release of Public Facing Information” obligation to your company
• Customers / Data Center / Cloud(?) in Europe? Asia?
• Cyber Insurance
12. 12
Dell - Internal Use - Confidential
Classification: //SecureWorks/Confidential - Limited External Distribution:
Would you like to be reimbursed for your efforts?
Cyber Insurance
13. 13
Dell - Internal Use - Confidential
Classification: //SecureWorks/Confidential - Limited External Distribution:
Plugged in to your Cyber Incident Response Program (CIRP)?
Cyber Insurance
• Pre-approval of vendors
• Notification requirements
• Add the Cyber Insurance manager to the CIRT
• Do you want to call them every time?
14. 14
Dell - Internal Use - Confidential
Classification: //SecureWorks/Confidential - Limited External Distribution:
If you remember only Three things from this presentation:
Summary
• Review your company’s Annual Report and align your Preventative,
Detective, and Corrective measures with those business risks.
• If you have Cyber Insurance, make sure it is integrated into your
CIRP. Add your cyber insurance manager to the CIRT.
• Conduct a Table Top Exercise (TTX) of one your BOD’s most
significant risks (see above). If your CIRP doesn’t tell you who to
invite – it’s not actionable and isn’t fully preparing you to protect the
business.