Blogs > CSO Bloggers

THE LAYER 8 DEBATE

Nathan Wenzler

  • Principal Security Architect, AsTech Consulting,
Nathan Wenzler is the Principal Security Architect at AsTech Consulting, a leading information security consulting firm. Nathan has nearly two decades of experience designing, implementing and managing both technical and non-technical solutions for IT and Information Security organizations. Nathan has helped government agencies and Fortune 1000 companies build new information security programs from scratch, as well as improve and broaden existing programs with a focus on process, workflow, risk management, and the personnel side of a successful security effort.

Organizations worldwide tend to mirror the culture of the country where they’re founded. Here in the United States, we have long maintained what I like to call a “Culture of Winning.”

Long before Charlie Sheen and his tiger blood became a pop culture phenomenon, we have been driven to be the best in everything we do. Our sports teams only matter when they win it all. We expect our Olympic teams to bring home the most gold medals. We strive to maintain our perceived status as the greatest nation on the planet. And of course, our companies must always be successful and be “the best.”

This culture of winning has certainly held true for decades, and many American companies have been both led the way technologically and maintained their financial success year over year.

However, this drive to always be the best commonly creates a huge negative for many organizations: an unwillingness to acknowledge even the possibility of failure. In the Information Security field, incident response is one of the most critical parts of any security program, but is often overlooked because, as one CISO once put it to me, “If we plan to fail, we’re acknowledging failure will happen, and our company doesn’t fail.”

I could almost hear Murphy gleefully laughing at his Law gearing up for a whammy of an example there.

The reality is, of course, that when it comes to any kind of security incident, it’s never a matter of if, but when. Whether that comes in the form of a natural disaster that impacts business operations, an external breach of critical data or intellectual property, or an insider threat which exfiltrates data or causes other damage to your organization’s functions, it is imperative that a proper security incident response plan is well-defined, documented and communicated to all the relevant parties within your company.

While there are many pieces to a great incident response effort, the most important is a buy-in from all parts of the organization, up to and including the very top executives. Nevertheless, getting this kind of buy-in to build a plan that specifically addresses what to do when things go wrong can be nearly impossible if your organization’s culture is one of always winning and never failing.

If you are part of a security program, find yourself fighting a culture of winning, and it doesn’t support your efforts to plan to address failure of any sort, consider highlighting some of these other benefits to your management team. These are all items which must be part of a successful incident response plan and will also bring operational benefits above and beyond the incident response plan itself.

  • A complete asset inventory. For an incident response plan, it’s important to know all of the assets which may be affected by an outage, attack or other type of security incident. More so, understanding what assets are related to other areas of your network or infrastructure (ex. the database servers that support a web application) is a critical piece of understanding how to identify the threat and contain it. Of course, an asset inventory will also help support help desk systems, audit and/or regulatory responses, patch management efforts, and many other IT operations needs, which can improve the overall effectiveness and ROI for those services.
  • Backups, failovers and redundancies. Recovery is a key phase for handling a security incident, but that requires that there’s something to use to recover from the damage done. If a disaster recovery plan and abusiness continuity plan isn’t already in place within your organization, it’s high time for your organization to build them both. Many regulations require these to be in place, and they not only serve to fulfill legal requirements, but ensure that you get your operations back up and running should an incident occur to minimize impact to your customers and, ultimately, your revenue.
  • Asset ownership hierarchy. One of the key pieces of an incident response plan is to have a documented communication matrix to bring in the proper stakeholders whenever an incident takes place. Time and time again, however, I have seen incident response teams struggle to identify who is responsible for a server or application and even if they can find the right person, there may not be a clear means of contacting the individual. Defining asset owners for all areas of your infrastructure is a critical part of an incident response plan, but also is the basis for building access certification programs that can limit insider abuse as well as the ability for an external attacker to move laterally through your network should they get in. It becomes another active layer of defense for the infrastructure and applications.

If you are one of the lucky few who have full support within the organization for an incident response program, you still should ensure that your management team reaps all the benefits a formal plan can bring to your company.

If not, there are still plenty of ways to encourage your company to maintain its culture of winning without resorting to tiger blood infusions simply by highlighting the benefits by planning to handle failure with a proper incident response plan.

Tags: strategy, disaster recovery, backup and recovery, Leadership and Management, Investigations and Forensics

Show Comments