To continue with my series on the Next Generation of Security Operations, I want to look at how well security operations are positioned for the be-all, end-all of security – the actual Security Breach. Security incidents have a life of their own. How it all turns out is very dependent on how soon the problem is detected. Initial detection and preventing an attack early in the ‘kill chain’ can minimize or even stop any issue from escalating. However, that is not always possible and security operations must be prepared to escalate throughout the entire process until closure. There are some traditional stages when it comes to Security Incident response.
Stage 1: Security Event: The first stage is the security event. Many times this can be triggered from an individual event or a series of system events identified through some monitoring function. A few failed logins, some system errors thrown from an application, a log file growing quicker than usual… The types of events are numerous and the cause can range from innocuous hardware failures to a full blown attack. At this point, little is known except that something is indicating a possible security problem.
Stage 2: Security Incident: Once an event, or series of events, is identified and the cause is pointing to an active security issue, the event is escalated and becomes part of an incident response.
These first two stages are traditional Security Incident Management. Security Incident Management is the process by which IT security related events are reported, cataloged, triaged and resolved. This process will include gathering data on the system events, analyzing the information relevant to the event, assigning prioritization and documenting the response.
Stage 3: Security Investigation: Investigations are the next step and include the processes by which larger investigations are conducted around IT security incidents. These investigations can include larger data breaches, system compromises, internal investigations such as unacceptable use of company resources or other security incidents that require a larger amount of time or investigative procedures. An investigation can result from a singular IT security incident or multiple incidents that are connected.
Organizations with mature security response plans have typically laid out these first three stages. However, what happens when the Security Incident is bigger than usual? From the stories we see in the news, security incidents can spiral into significant crises very quickly. The next stages of security incidents are the areas where companies need to evaluate their capabilities.
Stage 3a: Breach Management: Did the security incident involve sensitive personal information or some other data related to mandated reporting of disclosure? If so, that security investigation now needs Breach Management – the notification of appropriate regulatory bodies or individuals involved. This stage needs to be handled not only in compliance with legislative obligations but also to manage reputational risks.
Stage 3b: Crisis Management: If the security incident mushrooms into a serious event such as significant data disclosure or major business disruption, the company may need to go into Crisis Management mode. Public relations, legal counsel, corporate governance boards or other entities may need to be engaged to sort out the problem and manage reputational, legal and business risks.
Security Operations should begin looking into these broader processes and can take a lesson from other GRC related processes such as the Business Continuity program. To start this process, you can begin by asking a few key questions:
- Does security operations understand the data profiles that would trigger broader Breach Management activities?
- How would the operations personnel know that a system with a security issue stores or processes regulatory related data?
- Does the business context around IT devices exist and if so, does it give the security operations function the capability to quickly determine that a possible data breach might lead to regulatory or compliance notifications?
- Are the other key stakeholders like Public Relations, Human Resources and Business Operations prepared to assist if a security issue mushrooms into a full blown crisis? Who are the resources that will be involved and what is the process to manage the crisis?
While the transition from Security Event to Crisis may happen very infrequently or - if you are lucky – not at all, companies should be putting these connections in place.