Ryan Bradbury

Our host outlines importance of incident management for effective cyber incident response and minimising the impact on an organisation.

He covers:

• Understanding Incident Management
• What Does Incident Management Mean
• How to do Incident Management

The NCSC’s definition is…

This definition covers number of potential scenarios – e.g. intentional or accidental data breaches, disruption of services due to DDoS, web application exploitation – it’s no longer just about how you fix a malware outbreak in the environment.

Incident management has historically been an aspect of Cyber Security that wasn’t considered until it’s too late primarily since it meant a malware outbreak. Today, with the instances of cyber incidents becoming increasingly frequent many organisations are developing Incident Management processes either because they have suffered an attack and understand the value in being more organised, or they realise the likelihood of one occurring and want to be prepared.

Cyber incidents can range in severity from a minor inconvenience to complete loss of the ability to conduct normal business, they are invariably stressful, frequently involving big decisions being made without necessarily having the full picture and may require a co-ordinated response from multiple areas of a business – it’s not just the IT department problem anymore.

The crux of why Incident Management is an essential component in a modern business is in a word control:

• Control of understanding what has happened when an incident occurs, i.e. the scope and severity of the incident.
• Control of the response to manage the situation and ensure the response doesn’t ultimately cause more harm than the incident.
• Control of the recovery to restore normal operation as efficiently and quickly as possible.

Before we get into this, there are two terms we need to be aware of – Cyber Incident Management, and Cyber Incident Response.

The Incident Management element is the overarching banner that manages the 6 different stages of the Incident response:

1. Triage
2. Analyse
3. Contain/Mitigate
4. Remediate/Eradicate
5. Recover
6. Review

We’ll talk more about these in the next section. But for now, lets just say that incident management is more of an oversight aspect that might be managed by a dedicated cyber response management team made up of stakeholders from across the business.

A cyber incident response therefore is a pre-existing methodology of steps to be taken during and after a cyber incident occurs with the cyber incident management being the management ‘plane’ co-ordinating and sometimes controlling the stages of the response.

As a whole the term incident management is a collection of pre-defined processes that direct who, how and when a business responds to the occurrence of cyber incidents.

It’s worth noting that the model in the graphic is a guide, individual cyber incident response plans may differ from business to business depending on requirements.

First – you are going to need to develop a process to follow.

I’ve already mentioned that Incident management is more of an overarching term or function that acts as command and control to the actual incident response; this would typically be a team of stakeholders from across the business that provide oversight and guide the response to ensure it is proportionate.

Again, there are no hard and fast rules as such since no two businesses are identical, but broadly speaking there should be a tiered approach to incident management – e.g. having a minor, intermediate and major response plan could be a starting point since it would be impossible to develop a response plan specific to every potential scenario. Each tier would then dictate a different level of response and perhaps even a different approach to the incident.

Triage

When there are indications that an incident has or is occurring, the incident management team need to convene and begin understanding the scope of the incident they are looking at, its nature and decide which level of response is most appropriate – this could be determined by one or several factors such as the number of customers affected, the number of users affected, have mission critical services been affected – the criteria will likely depend on what is most important to your business’ operation.

Often the Triage phase will dictate which of the incident management plans will be invoked, part of the process would then be to set the response team off conducting the analysis phase, whilst the incident management team brief the business on the initial situation, provide notification of outages or disseminate preventative action they wish users to take.

Analyse

The purpose of the analyse phase is to understand exactly what is going on as quickly as possible, this phase is to help plan for the next phase but it’s also an opportunity to verify any assumptions were correct with regard to the scope of the incident – e.g. what looked like a minor incident may prove to be more serious once investigation is underway and the incident management team need to be briefed and take action accordingly.

Contain/Mitigate

Once analysis has been concluded there should be a good understanding of what is happening in the environment and steps can be initiated to stop the problem getting worse. The specific response is going to depend entirely on the nature of the incident but the intent of this phase to prevent the incident escalating further and to limit the damage to services and infrastructure. This phase may also extend to damage control to the business from a reputation perspective through the use of press releases to demonstrate honesty.

Remediate/Eradicate

Once the incident is controlled and is not worsening, the task of rectifying the issue or removing the threat that caused the incident begins, again the structure and processes of this phase depend on the nature of the incident as different cyber incidents will have different responses.

Recover

With the Cyber Incident now dealt with the focus needs to be on restoring business-as-usual operation and this is the recovery phase, i.e. getting the environment/business from the post incident state back to the point where normal operations can be resumed. This phase is made immeasurably easier if you had robust backup processes in place as restoring system services and data becomes a question of how long instead of how do we do it!

Read blog post: Recover from a cyber attack | CyberLab®

Review

The review phase is exactly what it sounds like, an after action debrief of what has happened, what did we do well, what could have been done better, did any part of the process not work, why didn’t it work and how to we make sure it works next time.

Review is almost as vital as any other area of the response plans as it means you will be better equipped next time to deal with the problem.

Training

One last section that isn’t part of the NCSC plan, but is recommended, is security training. Running desktop exercises should be conducted quarterly to ensure there is familiarity with the processes but it can also contribute to the Review section to help improve processes and increase the efficiency and speed of the response.

Want to test your incident response plan? The NCSC provide a great tool: Exercise in a Box – NCSC.GOV.UK

Incident management processes deliver several benefits to your business:

• Effective incident management lessens the impact of a cyber incident.
• A practised plan will help you make good decisions under the pressure of a real incident.
• A well-managed response, with clear communication throughout, builds trust with shareholders and customers.
• Learning from incidents identifies gaps and issues with your response capability.

If you haven’t done so already, our Posture Assessment tool is a quick-and-easy way to identify your strengths and weaknesses, and get a better picture of your overall security posture.

We have put together a page of recommendations for improving your Incident Management, and which tools can help, which you can read here.

If you’d like to learn more about how to secure your organisation and keep your data secure, book a consultation with one of our experts.

Our host discusses the importance of Asset Management for organisations to bolster their cyber security.

He covers:

• What is Asset Management?
• Why do organisations need Asset Management?
• What do with asset information

In today’s world, where cybercrime is on the rise and data breaches are a common occurrence, protecting your data can be a complex task.

It’s critical for organisations to understand how data is being accessed, whether the access is through secure mechanisms, and how to control that access. You can’t control or protect what you can’t see. Which is where asset management comes in.

Asset management is one of the most crucial elements of protecting data, as it helps identify all devices connected to an environment, manage their level of access, and establish business processes to record new devices.

The main goal of asset management is to ensure that an organisation’s assets are being used effectively and efficiently while minimizing security risks and ensuring regulatory compliance.

Our business data is now the primary target of most cyber criminals, they know our businesses need that data to operate, transact business and ultimately to do what we do. Protecting data should be a priority for any organisation and one of the most important elements to protecting our data is understanding how it is being accessed. Every mechanism that can be used to access that data is a potential risk.

Device Discovery 

In larger environments or environments where the non-Enterprise Mobility Management capable device change or move around a lot, it may be necessary to utilise a product such as Forescout suite to identify all devices connected to your environment, the results of this can then be taken even further to manage the level of access they have using Network Access Control and Network Segmentation to restrict access of devices you have not authorised pending identification and authorisation.

Integrate Asset Management Into Your Organisation 

Implementing an Enterprise Mobility Management (EMM) solution for your organisation can provide several benefits. Firstly, it enables you to adopt efficient deployment practices whereby new devices are automatically enrolled into your EMM solution. This ensures that policies, restrictions, and software are automatically deployed onto the devices, resulting in a streamlined process. Furthermore, the devices will automatically report their status, allowing you to apply any new policies as needed.

To ensure that new devices are introduced to the environment in a controlled manner, it’s crucial to establish proper business processes. This includes recording new devices in your asset register, which ensures that the register accurately represents the devices in use. Whether you decide to include devices managed by your EMM in your asset register is a business decision. However, it’s worth noting that EMM solutions may facilitate integration, allowing details of the devices in the EMM or device discovery/control software to be replicated into your asset register.

So, we need to make sure that we have a clear understanding of what is or can access the data, is it a secure mechanism, and how we can control it?

It’s important to note that asset management is not just about device management as we’ll come onto later, but device management is a key part of it and can do most of the leg work needed for effective asset management so let’s start there.

Identify who is responsible for what

In many cases environments can sprawl over time and who is responsible which system can become clouded. This can mean making changes or troubleshooting is much more time consuming than it needs to be. With a detailed view of the assets in the environment to use, it is clear where responsibility lies and this can help improve efficiency.

Identify business critical areas

Once you have a realistic picture of all the devices that make up your estate, identify those which are delivering or associated with critical business services, consider any dependencies they have, and then use that as to build a picture of the areas in your infrastructure that are most important to your business.

Bear in mind that data is also an asset; one that may not all reside on-premise or may be stored on removable media. Having a robust backup strategy in place that adheres to industry best practices and is tested regularly will ensure that your data will reliably be there when you need it.

Identify areas of vulnerability 

The asset information that you have will also help you to categorise areas that may represent more significant concerns from a security perspective – unsupported operating systems have become a problem for many organisations in recent years, servers hosting business critical applications or services that cannot be migrated to newer versions is one of the most common problems.

An area of common vulnerability in most environments is the ability for unmanaged endpoints, laptops in particular, to be physically connected to a network port in the office and granted access to production systems. Hackers can easily breach account credentials or find ways around them, preventing them from being able to access anything needs to be a priority in any business.

Users can be one of your strongest lines of defence against cyber threats, or they can be your greatest weakness. Cyber criminals research their targets and they use the intelligence gathered to fabricate extremely convincing social engineering campaigns. Don’t make it easy for them to do that. A robust cyber security training and engagement strategy is essential for any organisation.

Remove what you don’t need 

Sounds obvious, but sometimes as environments sprawl out of control and increase in complexity there can be uncertainty about exactly what a particular server does, and rather than risk an outage these devices can linger well beyond the end of their life unnecessarily.

Using the asset register and the allocation of responsibility for each device should enable extant devices to be identified and decommissioned.

Maintain and improve your asset management 

After putting lots of time and effort into building your asset management system, it is easy to let it atrophy and become out of date, always look at automated ways to ensure the information held is being actively updated so you have a high degree of confidence that what you are looking at is representative of what you have today.

Protecting data should be a priority for any organisation, and asset management is one of the most critical elements of safeguarding against cybercrime and data breaches.

With a clear understanding of what devices can access the data, businesses can identify areas of vulnerability and business-critical areas, allocate responsibility for each device, and remove what is no longer needed.

Maintaining and improving asset management is an ongoing process, and businesses must continually monitor their environment to ensure their assets are being used effectively and efficiently, with minimized security risks.