Eliminating weekend War Rooms—the shift from reactive to proactive security operations
Cybersecurity emergencies seem to happen when an organisation feels it is least prepared. And that call for a weekend war room is an experience that no CISO and their team want, writes MK Palmore, Cybersecurity Strategic Advisor & Risk Consultant at Palo Alto Networks. While it might appear to be a bolt out of the blue, in my experience, it is more like a slow rolling thunder that builds into a loud clap that you can never properly anticipate. So how can cybersecurity leaders be better prepared and avoid being caught out?
My perspective on this is informed by what I saw when as an executive leader of a large FBI cybercrime and forensics team. All too often, we were called in weeks or longer after the incident took place. At that point, the breached organization is just trying to stop the bleeding and work out how to fix themselves back together. Being shaken up so severely by a security incident is no position that any IT executive or business leader wants to be in. And that is not on the weekend, or frankly, any other day of the week, either.
The first way to take control is to ensure that the business has visibility. There is no doubting that gaining visibility of threats and vulnerabilities is not easy, but it is fundamental. Can you see everything in the environment? Because if you cannot see it, you cannot react to it; if you cannot see it, you cannot mitigate it; if you can’t see it, you can’t plan for it. When you gain the right levels of visibility your organization moves from a reactive footing to a posture of proactive prevention.
Do not mistake visibility to be simply about logging. All organizations accumulate logs of one sort or another from any number of different systems. This can be useful, but what is essential is to have context. This gives you the powerful capability to correlate log activity from the different domains and enclaves you have within an environment. From this, the challenge is for a human to sit in the middle, correlate the information, put context around it, and then be in a position to respond.
Integrating different logs and visibility tools takes you so far on adopting a more proactive approach. The next step is how the best security operations centers that confront security incidents often make use of a standardized framework that helps to define what security responses are needed.
One of the frameworks to consider is the Center for Internet Security (CIS) Critical Security Controls. Not only are these 20 controls presented to InfoSec practitioners in easy-to-understand language; they’re prioritized to provide a roadmap of where to start and where an organization needs to be in terms of cybersecurity engagement. These controls have proven helpful repeatedly for organizations of all sizes. In fact, almost every significant cybersecurity incident—certainly that an organization like the FBI investigates—shows some kind of violation of these critical controls.
The weekend war room is a product of reactive management. Yet that does not mean that there shouldn’t be a weekday war room. Proactive organizations should have periodic assessments with IT security staff and management. Engaging key stakeholders simply and regularly can make all the difference.
When you run a war room you need some specific tools. One of the issues that I had in the FBI, while running the Enterprise Security Operations Center, was that I did not have an effective dashboard I could share with executives to show them where we were in improving and strengthening our posture. That’s why today I recommend security leaders have a dashboard that clearly visualises security posture and makes it simple for non-cyber technical people to comprehend what’s happening and what they need to do. For a successful war room, the dashboard and any associated reports should show the relative level of risk associated with vulnerabilities in the organization and a timeline of when they will be fixed.
Some other facets of the dashboard help reduce the pain of tackling with a security incident. It is important for the organization to know and show what is connected to a network. Trying to figure that out after an incident has occurred is never a pleasant task. The dashboard and associated reports should also provide context around security alerts in a way that is easily understandable to help determine impact.
Organizations should actively track incidents so that executives can easily see if there have been any attempts to detonate malicious software within the enterprise—and whether or not those attempts were blocked.
Having visibility and a clear picture of the health and maturity of security operations underpins a proactive security organization. Taking a proactive approach to security does not just help save the weekend—it can help solve the difficulties of IT security staffing too. By integrating visibility and automation that enable a proactive approach, an organization can speed up routine tasks, freeing up sometimes scarce security analyst resource to do more high-level, human-intensive work.
No one wants to get that call to join a weekend war room, ruining precious time with family and friends. The key to preventing that outcome is to embrace a proactive strategy that provides visibility and context that help identify risks before they become weekend war room incidents.