Operational information security is arguably the most complicated, confusing and at times stressful area of the IT profession to work in, says Adam Wood, a security analyst in the utility industry.

Security incident management is unpredictable: the people working in the area are typically from a wide range of different IT, and non-IT backgrounds backed by expertise and experience that you only acquire in resolving real world, potentially high impact events, that have parallels to nearly every other area of IT.

In this area it is critical to identify events quickly and respond effectively in order to keep business critical processes functional and secure.

Understand what you’re protecting

In a time of perceived crisis it’s near impossible to protect any business critical operation and the business processes which enable them, if the security incident manager (SIM) responsible for protecting the service does not appreciate the value it delivers to the organisation.

Although service level agreements (SLA) give a basic quantitative indication of the minimum level of system availability required by the business to remain operational, to successfully protect any business, SIMs must fully understand not just what the impacts of system downtime are, but also what the potential value to a third party of the information which it processes is.

It is estimated that the average cost of a security breach in a large organisation (250 plus employees) is between £450, 000 and £850,0001. However, the full cost is often never really understood as many organisations do not fully appreciate the value of the data that they hold.

This, coupled with consideration of the corporate culture and the level of risk that is acceptable to the organisation, can take a significant investment in time to develop, especially in larger more complicated businesses. Without this knowledge an incident manager’s ability to successfully and proportionally react to security incidents is severely reduced.

Appreciate the service model

All organisations are different but many leverage complex, highly outsourced commercial IT service models. When a model like this is adopted, it is often common that the enthusiasm for achieving contracted tangible metrics, and the stringent use of the ITIL (Information Technology Infrastructure Library) language, can result in security incidents not being addressed as efficiently and effectively as the production environment issues, which are addressed using the ITIL framework.

The formality presented by the ITIL approach can hinder the resolution of some more complex security incidents, which by their very nature typically require a more dynamic and unconventional strategy to resolve.

It is, however, likely that most security incidents will begin life being managed in the production service management environment, and that the transition to the responsibility to any dedicated information security response will be via escalation.

Although management responsibility may change to a dedicated internal computer emergency response team (CERT), to which SIMs may belong, it is almost certain that the expertise of everyday support staff, who are more used to working in-line with the established ITIL structure, will be employed in the successful resolution of the incident.

For these reasons it is important that all SIMs have at least an appreciation of the ITIL framework and how it is applied. A decent understanding of the framework will allow incident managers to better use existing IT resources and once the security breach is contained and investigated, aid in the smooth transition to day-to-day production service management.

Invest in communication

Establishing and using good communication channels between the security incident response team, other members of the IT department, business system owners and general users, is essential to becoming aware of, and effectively managing security incidents.

As with system availability, ITIL already recommends that at the very least a high level security response for each IT system be discussed, agreed, documented and communicated in the SLA. Although the digital security team should also have an agreement with the business and the wider user community (which may be through policy), that any suspected or actual security incidents are reported to a single point of contact (SPOC) using a well published process.

These communication channels should be bidirectional, and also allow SIMs to quickly raise support from other business teams. A widely communicated contact list of essential incident response team members should be made available to essential personnel.

Plan and test procedures

In the excitement and adrenalin rush of a security incident, the opportunity for misunderstanding and in some cases tension will increase, especially at middle management levels. Tension will normally be around what actions should be taken and who should have decision making authority.

But sometimes they may result from a lack of clarity around what a security incident actually is and how it differs from a production incident or security risk. ITIL defines an information security incident as ‘One or more information security events that threaten information security and business operations’. This definition requires some knowledge of the ITIL framework and so is not meaningful to all, particularly the non-technical business users.

A more user friendly explanation is that a security incident is ‘any suspected or actual imminent event or breach of internal policy procedures or national law which could cause harm’. To effectively manage an incident it is important to have established procedures and well tested plans. Particularly security incident playbooks (which are a set of pre-formulated responses to common security incidents).

Commit to security awareness training

Clearly defining who has incident manager accountability at a given point in time is extremely important. Especially in large multi-time zone environments where it is likely, although not recommended, that accountability may change between individuals or in a heavily outsourced environment even between organisations.

It is highly probable that a production environment incident may morph from routine into a security incident requiring specialist attention and then once contained move back into production again. It is as important to train employees in the use of prepared plans. All employers have a responsibility to provide appropriate training so that employees are able to safely perform their duties and not be put under undue stress while doing so.

In the case of security incident managers, at a very minimum, it is advisable to have a understanding of ITIL.

But all organisations, large or small, should also run security awareness campaigns that inform users not just of policy commitments, but also how to effectively identify and report security incidents. After all it is estimated that 59 per cent of incidents are caused by users accidentally from inside the company, where although technical controls maybe in place, they can be by passed.

Despite this high figure, 42 per cent of large organisations don’t run security awareness programmes. Programmes work best where there is a top down aspiration to develop a ‘security culture’, whereby individuals actively consider the potential impact of a security breach, while carrying on their everyday duties, to the point that active information security management becomes embedded in the day job.

Although formal classroom training, table top simulations and awareness campaigns are good learning tools, there is no substitute to real world experience. Greatest learning will come from real events and incidents. Use these as learning points and ask the questions: what was the cause, what was the impact, what went wrong, what went well, but above all what do we need to do to improve our response next time?

This along with regular engagement and communication with the user population will help to ensure that any such policies are adhered to, relevant and that potentially compromising incidents are not forgotten but reported and used to improve.

Cyber security incident management is not an exact science. No matter how much time and effort is put into planning or preparation, every incident and the potential consequences will be different. By understanding what is key to the organisation (and therefore what needs to be protected), considering the organisation’s overall service management design and having the right communication channels and emergency plans in place will allow the organisation to become significantly more resilient to the emergence of threats.

References

1.The UK cyber security strategy: Landscape Review 2013