Category Archives: Incident Response (IR)

Employees Are Working From Home — Do You Know Where Your Remote Work Policy Is?

The remote work trend is here to stay — and it’s a growing phenomenon.

Nearly two-thirds (63 percent) of companies have employees who work remotely, yet more than half of those companies (57 percent) do not have a remote work policy, according to a 2018 report from the freelancing website Upwork. What’s more, many of the companies that do have a remote work policy said it hasn’t been updated in the past five years or has become more lenient over that time.

Remote work security is a lot like mobile security, and the work-at-home trend is a lot like the bring-your-own-device (BYOD) trend. You likely have a policy that covers mobile security. You need one that covers remote work.

What Could Go Wrong?

The elevated exposure associated with remote work is undeniable. In fact, it’s not even a controversial point. According to Shred-it, 86 percent of C-level executives believe that the risk of a data breach is higher when employees work remotely. Additionally, CybSafe reported that one-third of U.K. businesses have suffered a data breach because of remote work in the past 12 months.

All of those numbers make sense. Simply working outside the office comes with inherent risks. Remote workers are more likely to connect via insecure WiFi, either at home or while working in public spaces such as coffee shops. A study by OneLogin even found that more than half of remote workers spend up to one day per week connected to unsecured networks.

Sensitive conversations — or talk that could help threat actors do their work — involving remote workers are more likely to take place in writing (via chat or email) than in person, which creates a record that could be accessed by cybercriminals. Work-from-home employees are also more likely to mix professional and personal equipment, software, data and online activity. That means threat actors could more easily breach personal consumer hardware and software as an entry point into company networks. In other words, hacking a remote worker may offer a higher payoff than hacking an in-office employee.

Furthermore, remote, freelance and contract workers are more likely to use their own equipment and perform their own IT tasks than in-office staff. And most remote workers are neither experts in choosing secure hardware nor skilled in the complexities of IT security. They’re also more vulnerable to hardware theft, shoulder surfing and other risks.

Don’t Forget About Compliance

Beyond the obvious security risks, remote work policies dramatically enhance regulatory compliance. The General Data Protection Regulation (GDPR) led the way, California followed, and soon, many U.S. states will have strong regulations around security and privacy. Yet many of the remote work policies currently in place were created before the GDPR even started making headlines.

A good remote work policy covers a broad range of categories, from employment rules to expense reporting to legal obligations. But the data security provisions are probably the most important. And because the security and regulatory landscapes — as well as attitudes and demands around remote work — keep changing, your company’s remote work policy should keep changing too.

Components of a Good Remote Work Policy

Clearly, it’s important to create a good remote work policy if you don’t have one — or update the one you’ve got to reflect current realities and best practices. But what exactly makes a good policy?

First, create a detailed plan for communication and training related to remote workers, and specify this plan in the policy. Clarify that the remote work policy applies to all workers, even if they do work at home one hour a month. Keep in mind the differences (legal and otherwise) between permanent, full-time employees on the one hand and contract, freelance, temporary or contingent workers on the other. Your policy is one tool for the company to help employees boost security in their homes, which is always a good idea.

Next, align the policy with remote work infrastructure and software. Be clear about rules for company-owned equipment. List all user tools (e.g., cloud document platforms, workgroup communication, video conferencing, project management, etc.) so that remote and in-office employees are all on the same page — literally — and using the same approved and security-monitored tools.

You’ll then want to draft a notification process in the event of a security event and include the steps that each employee must take in the event of a breach. Include clear actions to keep operating systems, applications, certificates, and security and networking software up to date. Include all applicable in-office rules, such as the password policy and other security-related rules. It’s also important to make remote work policies compatible with employee contracts — i.e., make sure overlapping or contradicting areas are addressed.

Lastly, make sure you plan to monitor policy adoption and adherence. Learn from security successes and failures and keep the policy flexible. Importantly, update the remote work policy frequently by setting a schedule for reviewing it on a regular basis.

Address Your Remote Security Gap

The bottom line is that the reality of remote work extends the enterprise attack surface to include employees’ homes. It’s vital to address this gaping hole with a clear, up-to-date remote work policy that is consistently monitored and enforced.

The post Employees Are Working From Home — Do You Know Where Your Remote Work Policy Is? appeared first on Security Intelligence.

6 Steps Every New CISO Should Take to Set Their Organization Up for Success

Congrats! You’ve landed a new job as a chief information security officer (CISO). Now where do you start?

With some figures putting the typical CISO tenure at just around two years, it’s clear turnover in this role is high. According to a Ponemon Institute study sponsored by Opus, 44 percent of CISOs surveyed said they plan to make a lateral move in their organization outside of IT security, and 40 percent said they expect to change careers. All of this considered, the window of time to make a mark as an effective security leader is short — and, in turn, stressful.

What are some best practices for getting started on the path to success in a new security management position? What do you need to do, who do you need to talk to, and what are the first actions you need to take to make an immediate impact and set yourself up for future wins?

Here are six steps to help you get started in a new security executive role.

1. Take Stock of Technology

One of the most important steps you will take in the first few days is reviewing the IT infrastructure of your new company. How are firewalls and servers configured? How many different endpoints connect to the network? What other technology is in place?

According to CSO, you should start by taking stock of which incident prevention security controls are preventing and reporting on malicious activity. You should also determine which security control management consoles, security information and event management (SIEM) tools, and log management solutions are collecting logs and alerts.

Understanding your systems and defenses is priority No. 1 because knowing what your new organization has in place — and where you may need to make additions and changes — will inform the next steps in your first few months in the CISO role.

2. Assess Your Processes

After gaining a comprehensive view into the technology that is in place, it is time to review and evaluate the processes in place for security. Is there an incident response (IR) plan in place? For 77 percent of organizations, the answer is no. Is the IR plan written and tested? What about awareness training? Is it done monthly? Annually? This information will give you a clearer picture of how the company has prioritized security in the past — and an idea of where it needs to go in the future.

This is also the time to poke holes in policies and standards that do not have formal processes attached, and develop and define them to be more effective. Clear, well-defined processes minimize confusion and chaos, and ensure your organization can comply with the policies you want to enforce.

3. Build Out Your Team

Whether you are utilizing existing employees or hiring new team members, building your security team is an immediate priority for a new security leader, according to Dan Lohrmann, former CISO for the state of Michigan and current chief security officer and chief strategist at Security Mentor.

“Focus on talent and relationships,” Lohrmann wrote in an article for Government Technology. “Surround yourself with security pros that work well together and cover skill set weaknesses.”

Direct reports that you will be managing are the first employees you need to get to know. Have one-on-one meetings with each team member if time allows to understand their strengths, weaknesses and insights on where security strategy stands in the organization. These employees have the institutional knowledge you don’t yet have and have dealt with issues and problems already. This time can also be an opportunity to build a relationship of trust so that your direct reports know they can come to you with concerns and feedback going forward.

If you have the luxury of hiring, after getting to know the existing security team, now is the time to assess whether you are lacking certain skills and talent on your team and look to the external talent pool to add to your ranks. This may be easier said than done, since the cybersecurity skills gap has made hiring challenging in recent years.

4. Talk to Key Internal Stakeholders

You want to gain a deeper understanding of the business, its mission, its immediate priorities and its long-term goals as soon as you get in the door. The CISO role is about security and business enablement. You will be expected to protect the organization and contribute to strategic goals.

Start by meeting with executive management when possible, as well as heads of business units. Understand their goals, visions, pain points and objectives. Ask how security management can assist with all of these. Getting to know these stakeholders will be the start of what should be an ongoing relationship and conversation that will give security a strong voice in the organization.

5. Get to Know Customers

Equally important to understanding the executive vision of the company is having a solid comprehension of the people the company serves. Getting to know key customers and clients on the front lines will give you the advantage of grasping how the enterprise is viewed from the outside. The customer lens of the organization will be invaluable in positioning security as a business driver instead of a hindrance.

6. Start Thinking About Your Budget

Gartner predicted that companies would spend around $96 billion on security products and services in 2018. But how can CISOs prove their investments had a measurable impact on corporate risk? It is no longer enough to simply deliver security to an organization; CISOs are also expected to demonstrate return on investment (ROI) and find ways to deliver direct business benefits.

Collecting data, evidence and metrics to demonstrate the need for security investments, why they are necessary in the near future and the proof of corporate payoff is another essential step for new security management. Additionally, this needs to be positioned in a way that business leaders understand, which takes us back to the importance of the prior steps. Without investing time in getting to know executive management and understanding customers, you will be less equipped to make the case for budgetary dollars for security priorities down the road.

Start Your CISO Tenure Off on the Right Foot

Starting a new job in the CISO role can feel overwhelming. But the time for security to be seen as a key player — and to have a major business impact — has never been better. While there may be multiple challenges to address right out of the gate in a new organization, heed these suggestions to start making a positive impact on day one.

The post 6 Steps Every New CISO Should Take to Set Their Organization Up for Success appeared first on Security Intelligence.

It’s Time to Modernize Traditional Threat Intelligence Models for Cyber Warfare

When a client asked me to help build a cyberthreat intelligence program recently, I jumped at the opportunity to try something new and challenging. To begin, I set about looking for some rudimentary templates with a good outline for building a threat intelligence process, a few solid platforms that are user-friendly, the basic models for cyber intelligence collection and a good website for describing various threats an enterprise might face. This is what I found:

  1. There are a handful of rudimentary templates for building a good cyberthreat intelligence program available for free online. All of these templates leave out key pieces of information that any novice to the cyberthreat intelligence field would be required to know. Most likely, this is done to entice organizations into spending copious amounts of money on a specialist.
  2. The number of companies that specialize in the collection of cyberthreat intelligence is growing at a ludicrous rate, and they all offer something that is different, unique to certain industries, proprietary, automated via artificial intelligence (AI) and machine learning, based on pattern recognition, or equipped with behavioral analytics.
  3. The basis for all threat intelligence is heavily rooted in one of three basic models: Lockheed Martin’s Cyber Kill Chain, MITRE’s ATT&CK knowledge base and The Diamond Model of Intrusion Analysis.
  4. A small number of vendors working on cyberthreat intelligence programs or processes published a complete list of cyberthreats, primary indicators, primary actors, primary targets, typical attack vectors and potential mitigation techniques. Of that small number, very few were honest when there was no useful mitigation or defensive strategy against a particular tactic.
  5. All of the cyberthreat intelligence models in use today have gaps that organizations will need to overcome.
  6. A search within an article content engine for helpful articles with the keyword “threat intelligence” produced more than 3,000 results, and a Google search produces almost a quarter of a million. This is completely ridiculous. Considering how many organizations struggle to find experienced cyberthreat intelligence specialists to join their teams — and that cyberthreats grow by the day while mitigation strategies do not — it is not possible that there are tens of thousands of professionals or experts in this field.

It’s no wonder why organizations of all sizes in a variety of industries are struggling to build a useful cyberthreat intelligence process. For companies that are just beginning their cyberthreat intelligence journey, it can be especially difficult to sort through all these moving parts. So where do they begin, and what can the cybersecurity industry do to adapt traditional threat intelligence models to the cyber battlefield?

How to Think About Thinking

A robust threat intelligence process serves as the basis for any cyberthreat intelligence program. Here is some practical advice to help organizations plan, build and execute their program:

  1. Stop and think about the type(s) of cyberthreat intelligence data the organization needs to collect. For example, if a company manufactures athletic apparel for men and women, it is unnecessary to collect signals, geospatial data or human intelligence.
  2. How much budget is available to collect the necessary cyberthreat intelligence? For example, does the organization have the budget to hire threat hunters and build a cyberthreat intelligence program uniquely its own? What about purchasing threat intelligence as a service? Perhaps the organization should hire threat hunters and purchase a threat intelligence platform for them to use? Each of these options has a very different cost model for short- and long-term costs.
  3. Determine where cyberthreat intelligence data should be stored once it is obtained. Does the organization plan to build a database or data lake? Does it intend to store collected threat intelligence data in the cloud? If that is indeed the intention, pause here and reread step one. Cloud providers have very different ideas about who owns data, and who is ultimately responsible for securing that data. In addition, cloud providers have a wide range of security controls — from the very robust to a complete lack thereof.
  4. How does the organization plan to use collected cyberthreat intelligence data? It can be used for strategic purposes, tactical purposes or both within an organization.
  5. Does the organization intend to share any threat intelligence data with others? If yes, then you can take the old cybersecurity industry adage “trust but verify” and throw it out. The new industry adage should be “verify and then trust.” Never assume that an ally will always be an ally.
  6. Does the organization have enough staff to spread the workload evenly, and does the organization plan to include other teams in the threat intelligence process? Organizations may find it very helpful to include other teams, either as strategic partners, such as vulnerability management, application security, infrastructure and networking, and risk management teams, or as tactical partners, such as red, blue and purple teams.

How Can We Adapt Threat Intelligence Models to the Cyber Battlefield?

As mentioned above, the threat intelligence models in use today were not designed for cyber warfare. They are typically linear models, loosely based on Carl Von Clausewitz’s military strategy and tailored for warfare on a physical battlefield. It’s time for the cyberthreat intelligence community to define a new model, perhaps one that is three-dimensional, nonlinear, rooted in elementary number theory and that applies vector calculus.

Much like game theory, The Diamond Model of Intrusion Analysis is sufficient if there are two players (the victim and the adversary), but it tends to fall apart if the adversary is motivated by anything other than sociopolitical or socioeconomic payoff, if there are three or more players (e.g., where collusion, cooperation and defection of classic game theory come into play), or if the adversary is artificially intelligent. In addition, The Diamond Model of Intrusion Analysis attempts to show a stochastic model diagram but none of the complex equations behind the model — probably because that was someone’s 300-page Ph.D. thesis in applied mathematics. This is not much help to the average reader or a newcomer to the threat intelligence field.

Nearly all models published thus far are focused on either external actors or insider threats, as though a threat actor must be one or the other. None of the widely accepted models account for, or include, physical security.

While there are many good articles about reducing alert fatigue in the security operations center (SOC), orchestrating security defenses, optimizing the SOC with behavioral analysis and so on, these articles assume that the reader knows what any of these things mean and what to do about any of it. A veteran in the cyberthreat intelligence field would have doubts that behavioral analysis and pattern recognition are magic bullets for automated threat hunting, for example, since there will always be threat actors that don’t fit the pattern and whose behavior is unpredictable. Those are two of the many reasons why the fields of forensic psychology and criminal profiling were created.

Furthermore, when it comes to the collection of threat intelligence, very few articles provide insight on what exactly constitutes “useful data,” how long to store it and which types of data analysis would provide the best insight.

It would be a good idea to get the major players in the cyberthreat intelligence sector together to develop at least one new model — but preferably more than one. It’s time for industry leaders to develop new ways of classifying threats and threat actors, share what has and has not worked for them, and build more boundary connections than the typical socioeconomic or sociopolitical ones. The sector could also benefit from looking ahead at what might happen if threat actors choose to augment their crimes with algorithms and AI.

The post It’s Time to Modernize Traditional Threat Intelligence Models for Cyber Warfare appeared first on Security Intelligence.

Manage Emerging Cybersecurity Risks by Rallying Around Mutual Concerns

Global risks are intensifying but the collective will to tackle them appears to be lacking. — The World Economic Forum’s “Global Risks Report 2019”

With the start of a new calendar year, chief information security officers (CISOs) are looking for ways to set the tone for the year and have more engaged conversations with top leadership regarding cybersecurity risks. The good news is January provided such an opportunity, but it’s not what you might expect.

Every year, the world’s elite descends on Davos, Switzerland, as part of the global gathering known as the World Economic Forum (WEF). A few weeks before they hold this event, the WEF releases its “Global Risks Report,” and this year, once again, cyber risks figured prominently. The report was based on survey responses from nearly 1,000 decision-makers from the business and government sectors, academia, nongovernmental organizations (NGOs), and other international organizations.

Cybersecurity Risks Once Again in the Top 5

The report opens with its distinctive global risks landscape diagram, and cyber-related risks fall in the top-right quadrant of global risks, both in terms of likelihood and impact. When it comes to likelihood, data fraud or theft came in fourth place after three environmental risks, with cyberattacks rounding out the top five.

When ranked by impact, cyberattacks still made it into the top 10, in seventh place, followed immediately by critical information infrastructure breakdown. The fact that data fraud or theft wasn’t in the top 10 risks by impact might indicate that markets and business leaders are more confident about the global economy’s ability to detect and respond to such an event.

This is by no means the first time that technology-related risks made it to the top of the list: Cyberattacks have appeared four times in the top five risks by likelihood since 2010 (in 2012, 2014, 2018 and 2019). However, in terms of impact, the only technology-related risk to make the top five was critical information infrastructure breakdown in 2014.

Is it symptomatic of a larger disconnect that, in the last decade, global leaders only once perceived a technology-related risk as a top-five risk in terms of impact? Do top leadership and board directors at your organization share this attitude?

A Conversation Starter for CISOs and Top Leadership

Of course, the WEF report is aimed at a global audience of business and government executives, so it might not be immediately apparent how CISOs could benefit from grabbing a copy and leafing through it. However, because technology-based risks — and more specifically, cyber-related risks — feature so prominently in the report, there is a unique opportunity to engage or re-engage top leadership and boards to discuss these issues and re-evaluate the organization’s current risk appetite. Among the topics covered in the report are many areas that CISOs should be ready to engage on, including:

  • Machine learning and artificial intelligence (AI) — How, if at all, is your organization leveraging these technologies? Is the security function engaged at the earliest part of the process to implement them?
  • Regulatory changes, such as the General Data Protection Regulation (GDPR) — Is your organization now fully compliant with the GDPR? Are there other GDPR-like regulations on the horizon that need to be on your radar?
  • Interconnectedness of cybersecurity risks — Is your organization on its way to becoming cyber resilient? How often is your organization’s resilience put to the test?
  • Quantum computing and cryptography — Who, if anyone, is keeping track of developments in quantum computing? How often is this disruptive technology being discussed, both in terms of the opportunities it presents, but also the risks to traditional cryptographic methods of protecting company secrets?

Interconnectedness Versus Resilience

If there’s one section of the report that CISOs should share with top leadership, it is the portion titled “Managing in the Age of Meltdowns” (just three pages long). As the interconnectedness of technology increases the potential for cascading failures, this section reminds us of the stakes: “When something goes wrong in a complex system, problems start popping up everywhere, and it is hard to figure out what’s happening. And tight coupling means that the emerging problems quickly spiral out of control and even small errors can cascade into massive meltdowns.”

The section covers different strategies to help deal with complex, dynamic systems and provides guidance for CISOs to review and improve the effectiveness of existing processes. Strategies include encouraging healthy skepticism and recognizing the value of clear and honest lines of reporting. CISOs should also try to “imagine failure” or, better yet, simulate a breach to practice their response. The report also reminds security leaders to perform thorough root-cause analysis, as “too often, we base decisions on predictions that are overly simplistic, missing important possible outcomes.”

Find a Rallying Point

Most CISOs know they’re more likely to be heard when aligning their messages and efforts with the concerns of top leadership. In a world of increasing global risks, security leaders must engage with all levels of the organization to truly understand what cybersecurity risks are top of mind, from the board and C-suite all the way down to entry-level analysts. Organizing around mutual concerns will help maximize security at the enterprise.

The post Manage Emerging Cybersecurity Risks by Rallying Around Mutual Concerns appeared first on Security Intelligence.

Data Breach Fatigue Makes Every Day Feel Like Groundhog Day

The constant string of data breaches isn’t what I’d call funny, but it does make me think about one of my favorite cinematic comedies. The film “Groundhog Day” stars Bill Murray as a grumpy weatherman who travels to the little town of Punxsutawney, Pennsylvania, where a famous rodent supposedly predicts when spring will arrive.

According to some unexplained movie logic, Murray’s character ends up caught in a time warp so that he wakes up the day after Groundhog Day and it’s — you guessed it — Groundhog Day once again. No matter what he does, he wakes up day after day and the same events happen again and again. As you can imagine, the poor weatherman starts to lose his mind and, for a time, gives up trying to change his fate.

In the world of cybersecurity, things don’t appear to be much different. If it feels like there’s a new data breach reported every day, that’s because it’s more or less true. According to the Privacy Rights Clearinghouse, there have been 9,033 data breaches made public since 2005 — and those are just breaches that were reported in the U.S. or affected U.S. consumers. Spread out over the last 14 years, that averages out to about 1.77 breaches a day.

All told, there were at least 11.6 billion records lost in those breaches. The consequences for the economy and individual businesses and consumers are mounting, and the cost of these breaches is staggering if you consider the average cost per lost record, which was $148 in the U.S. last year.

These data points raise other questions about the human impact of data breach Groundhog Day, if you will. How does the daily barrage of data breaches affect our behavior? Are we responding with urgency to this growing problem as consumers, businesses and security professionals? Or have we given a collective shrug, accepting that this is the new normal?

What Does Data Breach Fatigue Look Like?

One apparent consequence of constant breaches is data breach fatigue — the idea that consumers have become inured to the effects of data breaches and are less motivated to do anything to protect themselves. The data breach fatigue effect is a little hard to calculate, but there is some evidence it exists, and the fallout is harmful to both consumers and the breached organizations.

In one study, researchers measured consumer sentiment on social media in the aftermath of a breach at the U.S. Office of Personnel Management that affected 21.5 million people. According to the study, overall sentiment about the breach was tinged with anxiety and anger, but victims of the breach showed higher levels of sadness. Moreover, social media chatter about the breach dropped off significantly over time. Two months after the breach, engagement was almost nonexistent, which the researchers said showed acceptance, apathy and the onset of breach fatigue.

While there isn’t a lot of data on how people respond to having their personal information breached, there is some evidence in consumer surveys that data breach fatigue is setting in. For example, a significant proportion of users don’t take proactive steps to improve their security after a breach, such as changing their passwords or checking their credit score. Although almost 50 percent of respondents to a 2016 Experian survey said they were taking more precautions to protect their personal information, just 33 percent check their credit scores regularly and only 36 percent review the privacy policies of the companies they do business with.

In another study conducted by RAND Corporation, only half (51 percent) of survey respondents said they changed their password or PIN after a breach, and a scant 4 percent said they started using a password manager. While 24 percent said they became “more diligent” in response to a breach, 22 percent took no action whatsoever.

Finally, a survey conducted by Ponemon Institute in 2014 on behalf of Experian found that many consumers were taking a passive approach to data breach notifications. Of the 32 percent of consumers who had received at least one data breach notification in the prior two years, their concern about breaches didn’t necessarily produce an urgent response. Although 45 percent of breach victims said they were “very concerned” or “extremely concerned” about the potential for identity theft, 32 percent said they ignored the breach notification or took no action, and 55 percent said they did nothing to protect themselves from identity theft.

If data breach fatigue contributes to consumers failing to take the necessary precautions to protect themselves, it could leave those consumers at greater risk of identity theft, damaged credit, financial loss and privacy violations. But before we start blaming the victims for being irresponsible, it’s clear from the Ponemon/Experian study that many breach victims feel powerless or even trapped because the products and services they depend on from breached companies can’t easily be replaced, and nothing they can do as individuals will change the likelihood that their data will be breached.

The Dangers of Data Breach Fatigue

There’s another risk from data breach fatigue that is maybe underappreciated: that organizations will assume their security and privacy practices won’t matter to consumers. We know from surveys that consumers are very concerned about cybersecurity, but constant breaches have caused a steady erosion of trust between businesses and customers.

In another consumer survey from 2018, conducted by The Harris Poll on behalf of IBM Security, only 20 percent of respondents said they “completely trust” organizations they interact with to maintain the privacy of their data, and 73 percent said it is extremely important that companies take swift action to stop a data breach.

People do care about the security and privacy of their information, and some will take their business elsewhere. In the 2014 Ponemon survey for Experian, 29 percent of respondents said they stopped doing business with a company after a breach.

There are some things organizations can do to start rebuilding trust. Consumers expect a certain baseline of activity in a company’s response that includes identity theft protection and credit monitoring, access to customer service to handle questions and, perhaps most importantly, a sincere apology.

According to Michael Bruemmer, a vice president of consumer protection at the Experian Data Breach Resolution Group, the following steps are crucial to effective communications after a breach:

  • Provide timely notification explaining what happened and why.
  • Explain the risks or impact to the customer as a result of the breach.
  • Explain all the facts and don’t sugarcoat the message.
  • Make the communications more personal with less technical and legal jargon.
  • Describe easy-to-follow steps for customers to protect themselves from identity theft and fraud.
  • Consider using other communication channels to reach customers, including social media and a secure website to answer frequently asked questions and a way for customers to enroll in identity theft protection services.

Practice Your Incident Response Plan

Communicating with customers after a breach is just one element of an effective incident response (IR) plan. But most organizations don’t have any plan for responding to a breach.

Caleb Barlow, vice president of threat intelligence at IBM Security, said having an incident response playbook is “just the beginning.” Organizations need to practice for a full-business response and hone the crisis leadership and communication skills of executives, board members and heads of key departments, such as PR and HR.

“In the heat of the moment, there’s no time to fumble through the playbook and figure out what to do next,” Barlow wrote in a blog post. “That’s when your training and muscle memory kicks in and you execute your plan. If you don’t practice it, you are exposed to an avoidable disadvantage.”

To stop the cycle of data breaches and data breach fatigue, organizations and consumers alike need to shake off our fatalism and reluctance to change. Cyberattacks and breaches may be inevitable, but we have control over the way we respond, and we can’t afford to accept the status quo.

We can’t keep doing the same things and expect different results. If data breach fatigue keeps organizations stuck in a pattern of passive and uncoordinated breach responses — and if consumers remain reluctant to take security into their own hands — then every day is going to feel like just another Groundhog Day.

Learn how to build your breach response plan

The post Data Breach Fatigue Makes Every Day Feel Like Groundhog Day appeared first on Security Intelligence.

Social Engineering Training: Why Getting Hacked Is a Security Advantage

It was one of the highest phishing rates I had ever seen: Almost 60 percent of employees clicked the malicious link. Yet the client, a chief information security officer (CISO) of a Fortune 100 company, asked a question that caught me completely off-guard.

“So what?” he said, clearly unimpressed.

As a “people hacker” for X-Force Red, IBM Security’s team of veteran hackers, I’ve performed social engineering exercises for companies around the world. There seem to be a lot of misconceptions about my job and the usefulness of social engineering assessments in security audits.

Confronted with that CISO’s indifference, I tried to explain exactly how serious our findings were and what the consequences might mean for the business.

During this assessment, my team started off by getting several payloads through the company’s email filters undetected. We identified that only two of the 300 employees reported the phishing email. The incident response (IR) team didn’t start its investigation until two days later; during those two days, we managed to infiltrate some of the legal team’s email accounts, where we discovered that the company was the target of a lawsuit that wasn’t yet public. If that lawsuit were to leak, it could significantly hurt the company’s reputation.

Additionally, by reusing some of the passwords we had compromised, we were able to log in to multiple employee payroll accounts, where we had access to direct deposit information — again, undetected. A criminal attacker could have changed direct deposit account numbers to siphon funds from employee paychecks.

My answer seemed to surprise the CISO and his team. In the end, they acknowledged that I provided a lot more information about their security posture than they expected to receive from the assessment.

Learn more at the Jan. 29 webinar

Components of a Quality Social Engineering Assessment

If you ask someone to define a social engineering assessment, they would most likely say it tests the human aspect of security. However, if done correctly, it evaluates much more than that. Yes, assessments track how many times employees click a link, open an attachment or divulge sensitive information to a suspicious recipient on the phone. However, they can also assess if and how employees are reporting suspicious activity, and the effectiveness of IR and security awareness training programs.

With a well-designed assessment, the client should have a better understanding of how their IR team handles social engineering attacks. Many components of IR programs can be analyzed by answering questions such as:

  • How much time did it take for the IR team to respond to the social engineering activity?
  • Did the IR team follow any playbooks?
  • Did the team determine which employees knowingly or unknowingly divulged credentials, and did they issue password resets for those users?
  • If employees provided their credentials, did the IR team investigate whether those credentials were being used elsewhere as part of a suspicious activity?

In this type of engagement we test more than just people and processes; we can assess the effectiveness of security technologies too. Many of the actions performed — such as emailing a malicious payload, having an employee open a malicious USB device on their workstation, etc. — attempt to bypass different types of technologies in places such as email filters, intrusion detection systems (IDSs), antivirus software and more. Social engineering attack vectors test deployed technology to determine whether the social engineer can bypass them.

Effectiveness and Ethics of Social Engineering

Some critics have argued that social engineering assessments are pointless, as they know employees will always fail against such an attack. But these assessments provide valuable metrics, which are important to track over time to identify how employees are performing and identify any major deviations. Often, individual employees fall victim repeatedly. It’s important to identify these users so they can receive additional training, and the company should ensure those accounts have limited access.

Others have pointed to social engineering tests that went too far, such as targeting employees’ personal accounts. Each social engineering consultancy tests differently. That’s why it’s important for security leaders to define what’s acceptable for the company, so that testers don’t cross any ethical lines. This conversation between security leaders and testers typically happens during the scoping process.

Here’s another common refrain: “We already have a security awareness training program in place, and it covers social engineering.” But how do you know the program is effective? Without properly testing it, there is no way to determine whether it could efficiently and successfully contain an attack. Plus, employees should have continuous opportunities to identify social engineering activities. It is not a one-and-done exercise. Social engineering exercises are the most realistic training employees can get outside of an actual attack.

How a Box of Doughnuts Can Breach Your Defenses

Some of the social engineering assessments performed by X-Force Red include physical tests, such as walking into a building carrying a box of doughnuts to get past security, and remote tests, such as impersonating an auditor to trick employees into divulging sensitive corporate data over the phone. For each test, only a limited amount of company insiders know we are coming, and we scope the project ahead of time to ensure it is effective and ethical.

I can’t give away all our tricks of the trade, but you’ll have an opportunity to hear from five X-Force Red hackers, including me, when we share our greatest hits and best practices during a one-hour webinar on Jan. 29 at 11:00 a.m. EST. You may be surprised by some of the many ruses that get us through the door.

Register for the Jan. 29 webinar

The post Social Engineering Training: Why Getting Hacked Is a Security Advantage appeared first on Security Intelligence.

Maximize Your Defenses by Fine-Tuning the Oscillation of Cybersecurity Incidents

Information security is an interesting field — or, perhaps more accurately, a constant practice. After all, we’re always practicing finding vulnerabilities, keeping threats at bay, responding to cybersecurity incidents and minimizing long-term business risks.

The thing is, it’s not an exact science. Some people believe that’s the case, but they are only fooling themselves. Some security professionals strive for perfection in terms of their documentation. Others want their users to make good decisions all the time. I’ve even had people ask if I could do my best to provide a clean vulnerability and penetration testing report when doing work for them. Scary stuff.

I believe we’ve reached this point of striving for perfection largely due to compliance. Rather than truly addressing security gaps, we’re stuck in the mindset of checking boxes so that someone, somewhere can get the impression that work is being done and all is well in IT. Striving for perfection only serves to skew expectations and set everyone involved up for failure. The reality is you’re never going to have a perfect state of security, but you can have reasonable security if you take the proper steps.

Ready, Set, Practice

To improve enterprise security, organizations must do what I refer to as fine-tuning the oscillation of their security program. What do I mean by that? Let me give you a car racing analogy.

I compete in the Spec Miata class with the Sports Car Club of America (SCCA). It’s a super-competitive class with very little room for mistakes. Everything that we do as Spec Miata racers has to be fined-tuned — that is, if we’re going to win. Everything matters, from how hard we get on the brakes to how quickly we turn the steering wheel to how we get on and off the throttle. Even the turn-in points and apexes of corners are extremely important. Each little thing we do either works in our favor or works against us.

In car racing, fine-tuning the oscillation means getting better and better at the little things over time. In other words, we minimize atypical events — the mistakes that would show up as spikes on a graph — and get more consistent the more we race. You can certainly make improvements throughout a single race, but most fine-tuning comes with experience and years of seat time.

Make Small Adjustments Over Time

Information security is no different. In the context of your overall security program, threats, vulnerabilities and subsequent cybersecurity incidents represent the oscillation. If you’re looking for a visual, fine-tuning the oscillation means minimizing the amplitude and maximizing the frequency of a sine wave to the point where you have a tiny squiggly line that represents your security events. It’s almost a straight line, but as I said before, there’s no such thing as perfection in security.

Instead of having low-hanging fruit such as missing patches and weak passwords, you’re staying on top of patch management and password policy enforcement. Instead of a lack of network visibility, you have systems and technologies in place that allow you to see things happening in real time. Instead of experiencing a security incident, you’re able to prevent or mitigate the threat. Instead of a breach, you have business as usual.

Rather than playing by the terms of malicious actors seeking to bring down your business, you are the one in control. This is all done through acknowledging your weaknesses and blind spots and making small adjustments over time.

Minimize the Impact of Cybersecurity Incidents

Start viewing your security program from this perspective by asking a few simple questions. What areas need the most attention? Do you have some quick wins that you could start with to get your momentum going? Most organizations have a handful of areas with known security gaps that are creating big exposures — things like third-party patching, unstructured (and unprotected) information scattered about networks, and user security awareness and training. Aim to quickly close the gaps that create the greatest risk so you can spend more focused time on the smaller, but more difficult, problems.

Stretching out that sine wave and fine-tuning the oscillation of impactful cybersecurity incidents should be your ultimate goal. Be it racing cars or running a security department, time, money and effort are the essential elements. If you’re going to do either one well, it’s going to require good information, solid decision-making, and intentional and disciplined practice over and over again. That’s the only way you’ll get better.

The post Maximize Your Defenses by Fine-Tuning the Oscillation of Cybersecurity Incidents appeared first on Security Intelligence.

Why CISOs and Boards Should Work Together to Improve Cybersecurity Disclosure

Just how well are organizations informing stakeholders about cyber risks? As 2018 drew to a close, that was the question that EY sought to answer in its “Cybersecurity Disclosure Benchmarking” report. EY looked at how Fortune 100 organizations are sharing information related to cybersecurity in their proxy statements and 10-K filings, specifically analyzing these documents for the following:

  • Information related to how the organization manages cybersecurity and security awareness and training — and whether those are part of a wider enterprise risk management (ERM) program.
  • Whether or not public filings contained statements about the importance of cybersecurity risks as strategic risks, or their potential impact on business objectives.
  • How the board is discharging its responsibility to oversee risks, focusing specifically on cybersecurity risks, including board member qualifications regarding cybersecurity as well as the structure and frequency of cyber reports from management.

Before we look at what EY’s analysis revealed, let’s take a step back and look at the environment that got us here.

Business Are Under Pressure to Disclose Cyber Risks

It’s no secret that cybersecurity has become a regular topic of discussion for boards and top leadership. But just because something is discussed every once in a while doesn’t mean that organizations are taking effective steps to deal with it. As the events of past two years have shown, cybersecurity risks are real, and publicly traded organizations that experience a cyber incident — be it a breach, ransomware attack, denial-of-service (DoS) or other digital disruption — will quickly find themselves in the spotlight with ample, but unwanted, news coverage.

The problem for many of these companies isn’t the spotlight from the press or the immediate drop in stock value — it’s the secondary but very significant impacts coming from class-action lawsuits, fines and other regulatory enforcements, and long-lasting scrutiny from regulators such as the U.S. Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC).

The SEC’s 2011 guidance reminded board directors that cybersecurity — at the time a relatively new issue rising to the board’s level — was a material issue to be addressed. The 2011 guidance specifically mentioned the need “to disclose conclusions on the effectiveness of disclosure controls and procedures,” especially since a cyber incident could impact many of the other areas in which organizations are normally required to disclose information (e.g., financial and operational risks).

However, in 2018, the SEC released updated guidance for cyber-related disclosures to not only remind organizations of their duty to have controls in place to deal with insider trading, but to, in the words of SEC Chairman Jay Clayton, “promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” Clayton went on to say he had requested that the SEC division of corporation finance continue to carefully monitor cybersecurity disclosures.

For those wishing to learn from the mistakes of others, the SEC maintains a list of cyber enforcement actions that includes cybersecurity-related matters.

Top Findings From EY’s Cybersecurity Disclosure Study

EY’s analysis of 10-K filings and proxy statements from Fortune 100 firms found that all organizations — yes, 100 percent — included cybersecurity as a risk factor consideration. Furthermore, 84 percent mentioned cybersecurity in the risk oversight section, and nearly 7 in 8 organizations had charged at least one committee with oversight of cyber risks (though, in 70 percent of those organizations, that committee was the audit committee, whose agenda is already bursting with challenging issues).

In terms of board qualifications, 41 percent of companies reported highlighting cybersecurity expertise as an area of focus for new board directors. But when it came to interactions with management, only 34 percent of organizations mentioned the frequency of board reports, with just 11 percent reporting briefing the board annually or quarterly.

Finally, in terms of risk management, 70 percent of organizations mentioned their cybersecurity efforts and activities, such as training, personnel, refining of processes and monitoring. However, only 30 percent made any reference to incident response planning, disaster recovery or business continuity, and a tiny fraction, just 3 percent, indicated that their preparations included items such as tabletop exercises or simulations.

An Opportunity for CISOs to Play a Larger Role

As companies increasingly acknowledge cybersecurity risks as strategic risks, chief information security officers (CISOs) have an opportunity to play a larger role in the organization’s plans, investments and overall digital strategy. Instead of representing the camp of “security-as-an-IT-issue” — and with this, the simplistic view of security as an impediment to business — the CISO can help drive better conversations around cyber risks and educate top leadership and the board on emerging cybersecurity and privacy issues, including those that aren’t directly connected to cybersecurity such as artificial intelligence (AI), robotics and blockchain.

CISOs can drive progress by engaging with top leadership and the board to provide broader awareness, education and participation in matters that organizations should be more transparent about. Those cyber-related matters include incident response and emerging threats as well as gauging the organization’s readiness (e.g., tabletop exercises, simulations) and the effectiveness of its cyber risk management program.

Recommendations for Board Directors

The EY report provides several recommendations in the form of questions for boards to improve their engagement regarding cybersecurity risks. It’s worth asking the following questions of your organization:

  • Has responsibility for cybersecurity been formally assigned at management level (e.g., CISO) and on the board itself (e.g., audit committee)?
  • Is the board getting regular briefings on the organization’s strategy regarding cybersecurity risks and cyber resilience? How engaged is the board in reviewing the organization’s cyber risk management program, and security-related investments?
  • How has the organization (i.e., management) fared in recent tabletop exercises or simulations? Are directors taking part in such activities?

The report also mentioned the benefits of contracting with external advisers to provide board directors the opportunity to have a “dialogue with third-party experts whose views are independent of management.”

In 2019, it is imperative that enterprises take action to inform investors about cybersecurity risks and incidents in a timely manner — even enterprises that are subject to risks but have not yet been the target of a cyberattack. In this light, board directors, top leadership and CISOs should take another look at how well their 10-K and proxy statements satisfy the requirement to disclose material information regarding cybersecurity risks.

The post Why CISOs and Boards Should Work Together to Improve Cybersecurity Disclosure appeared first on Security Intelligence.

10 Cybersecurity Conference Trips You Should Make Time for This Year

Cybersecurity remains a top priority for chief information security officers (CISOs) worldwide, but it’s easy to get out of touch as the industry evolves at breakneck speed and attackers discover new and innovative ways to compromise corporate networks. That’s why it’s worth investing in cybersecurity conference trips to help IT professionals stay up-to-date by networking with vendors, thought leaders and colleagues.

Top Cybersecurity Conference Trips You Should Book in 2019

Not sure where to distribute your IT budgets for ideal returns? Here’s a roundup of some of the top cybersecurity conferences happening this year.

Cybertech Israel

Cybertech Israel will once again descend on Tel Aviv from Jan. 28-30. One of the premier B2B networking conferences for security professionals, Cybertech offers both a major exhibition and full conference schedule over the course of three days. This year, speakers will include Prime Minister of Israel Benjamin Netanyahu, Professor Dieter Kempf, president of the Federation of German Industries, and Dr. Sridhar Muppidi, IBM fellow and chief technology officer at IBM Security.

HIMSS 2019

Up next for the new year is HIMSS19, which will take place from Feb. 11–15 in Orlando, Florida. This year’s theme, “Champions of Health Unite,” will bring together insights from trailblazers, game-changers and strategizers to help health IT professionals set the stage for a secure and successful 2019. Topics will range from privacy and telehealth to care culture and clinician engagement. Given the critical role of technology in delivering and empowering health services, HIMSS19 promises to be a great starting point for this year’s conference lineup in the U.S.

Think 2019

IBM Think 2019, happening Feb. 12–15, is making the move this year to San Francisco. With more than 160 security-focused sessions across the conference’s dedicated Security and Resiliency Campus, there’s something for everyone. Key offerings include sessions on making security relevant to the C-suite, understanding the value of collaborative defense and transforming the role of incident response (IR) with new technologies such as IBM’s Watson.

View the Think 2019 security and resiliency curriculum roadmap

RSA Conference

One of the industry’s biggest annual conferences, RSAC is also held in San Francisco and will run from March 4–8. This year’s theme is “Better” — building better solutions, creating better connections and developing better responses. From securing robot-designed code to measuring data breach impacts and examining the value of human risk management, this massive conference (40,000+ attendees) always delivers value.

Cyphercon 4.0

Demonstrating that bigger isn’t always better, Cyphercon 4.0 will be held in Milwaukee from April 11–12. This cryptography and information security-focused offering strives to create an informal, welcoming environment that offers benefits for experts and beginners alike. All session abstracts are reviewed without speaker names attached, ensuring that only high-quality (not merely high-profile) presentations make the cut.

40th IEEE Symposium on Security and Privacy

With the General Data Protection Regulation (GDPR) now in full effect and privacy legislation a top priority for many countries, enterprises would be well served by any cybersecurity conference that tackles this increasingly complex field. The Institute of Electrical and Electronics Engineers (IEEE)’s 40th symposium will take place in San Francisco from May 20–22 and wil lbring together some of the industry’s leading researchers and practitioners to help organizations evaluate their current privacy policies and prepare for the next generation of personal data defense.

Gartner Security and Risk Management Summit

Happening in National Harbor, Maryland, from June 17–20, Gartner’s yearly conference includes sessions about emerging information security priorities such as machine learning, analytics and blockchain. More generally, the conference tackles the critical need to make security and risk top organizational priorities by offering a combination of meaningful networks, expert guidance and real-world scenarios.

Black Hat

One of two premier hacker conferences taking place in Las Vegas each summer — DEF CON is the other — Black Hat is more formal and also one of the most popular conferences every year. This year, the conference will be held from Aug. 3–8. Topics are wide-ranging; last year’s event examined the potential of voting machine compromise, and in 2015, researchers hacked a moving Jeep.

BSides

BSides, scheduled for Aug. 6–7 in Las Vegas, is a free conference that will celebrate its 10th year in 2019 and offers the benefit of small-group participation for all attendees. Walk-in passes are snapped up quickly, so if you’re in town for Black Hat or DEF CON, make sure to stop by the Tuscany Suites; this year, BSides has the entire hotel booked.

GrrCon

Rounding out the year is the more informal GrrCon, scheduled for Oct. 24–25 in Grand Rapids, Michigan. This conference is small — just 1,500 attendees — and focuses on creating a fun atmosphere where executives, security professionals, students and hackers can exchange ideas and uncover new insights.

Start the Year Off Strong

Less than 24 hours after the ball dropped in Times Square, this year saw its first data breach: As reported by CBR Online, more than 30,000 Australian civil servants had their data stolen. It’s a bellwether for 2019 — a not-so-subtle sign that threat actors will continue to compromise corporate data to leverage or generate profit. More importantly, it’s a reminder to start the year off strong — to revisit existing security polices, design more holistic defenses and make time for the best cybersecurity conference offerings of 2019.

The post 10 Cybersecurity Conference Trips You Should Make Time for This Year appeared first on Security Intelligence.

Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions

Security operations centers (SOCs) are struggling to create automated detection and response capabilities. While custom security information and event management (SIEM) use cases can allow businesses to improve automation, creating use cases requires clear business logic. Many security organizations lack efficient, accurate methods to distinguish between authorized and unauthorized activity patterns across components of the enterprise network.

Even the most intelligent SIEM can fail to deliver value when it’s not optimized for use cases, or if rules are created according to incorrect parameters. Creating a framework that can accurately detect suspicious activity requires baselines, naming conventions and effective policies.

Defining Parameters for SIEM Use Cases Is a Barrier to SOC Success

Over the past few years, I’ve consulted with many enterprise SOCs to improve threat detection and incident response capabilities. Regardless of SOC maturity, most organizations struggle to accurately define the difference between authorized and suspicious patterns of activity, including users, admins, access patterns and scripts. Countless SOC leaders are stumped when they’re asked to define authorized patterns of activity for mission-critical systems.

SIEM rules can be used to automate detection and response capabilities for common threats such as distributed denial-of-service (DDoS), authentication failures and malware. However, these rules must be built on clear business logic for accurate detection and response capabilities. Baseline business logic is necessary to accurately define risky behavior in SIEM use cases.

Building a Baseline for Cyber Hygiene

Cyber hygiene is defined as the consistent execution of activities necessary to protect the integrity and security of enterprise networks, including users, data assets and endpoints. A hygiene framework should offer clear parameters for threat response and acceptable use based on policies for user governance, network access and admin activities. Without an understanding of what defines typical, secure operations, it’s impossible to create an effective strategy for security maintenance.

A comprehensive framework for cybersecurity hygiene can simplify security operations and create guidelines for SIEM use cases. However, capturing an effective baseline for systems can strengthen security frameworks and create order in chaos. To empower better hygiene and threat detection capabilities based on business logic, established standards such as a naming convention can create clear parameters.

VLAN Network Categories

For the purpose of simplified illustration, imagine that your virtual local area networks (VLANs) are categorized among five criticality groups — named A, B, C, D and E — with the mission-critical VLAN falling into the A category (<vlan_name>_A).

A policy may be created to dictate that A-category VLAN systems can communicate directly with any other category without compromising data security. However, communication with the A-category VLAN from B, C, D or E networks is not allowed. Authentication to a jump host can accommodate authorized exceptions to this standard, such as when E-category users need access to an A-category server.

Creating a naming convention and policy for VLAN network categories can help you develop simple SIEM use cases to prevent unauthorized access to A resources and automatically detect suspicious access attempts.

Directory Services and Shared Resources

You can also use naming convention frameworks to create a policy for managing groups of user accounts according to access level in directory services, such as Lightweight Directory Access Protocol (LDAP) or Active Directory (AD). A standardized naming convention for directory services provides a clear framework for acceptable user access to shared folders and resources. AD users categorized within the D category may not have access to A-category folders or <shared_folder_name>_A.

Creating effective SIEM rules based on these use cases is a bit more complex than VLAN business logic since it involves two distinct technologies and potentially complex policies for resource access. However, creating standards that connect user access to resources establishes clear parameters for strict, contextual monitoring. Directory users with A-category access may require stricter change monitoring due to the potential for abuse of admin capabilities. You can create SIEM use cases to detect other configuration mistakes, such as a C-category user who is suddenly escalated to A-category.

Username Creation

Many businesses are already applying some logic to standardize username creation for employees. A policy may dictate that users create a seven-character alias that involves three last-name characters, two first-name characters and two digits. Someone named Janet Doe could have the username DoeJa01, for example. Even relatively simple username conventions can support SIEM use cases for detecting suspicious behavior. When eight or more characters are entered into a username field, an event could be triggered to lock the account until a new password is created.

The potential SIEM use cases increase with more complex approaches to username creation, such as 12-character usernames that combine last- and first-name characters with the employee’s unique HR-issued identification. A user named Jonathan Doerty, for instance, could receive an automatically generated username of doertjo_4682. Complex usernames can create friction for legitimate end users, but some minor friction can be justified if it provides greater safeguards for privileged users and critical systems.

An external threat actor may be able to extrapolate simple usernames from social engineering activities, but they’re unlikely to guess an employee’s internal identification number. SIEM rules can quickly detect suspicious access attempts based on username field entries that lack the required username components. Requiring unique identification numbers from HR systems can also significantly lower the risk of admins creating fake user credentials to conceal malicious activity.

Unauthorized Code and Script Locations

Advanced persistent threats can evade detection by creating backdoor access to deploy a carefully disguised malicious code. Standard naming conventions provide a cost-effective way to create logic to detects malware risks. A simple model for script names could leverage several data components, such as department name, script name and script author, resulting in authorized names like HR_WellnessLogins_DoexxJo. Creating SIEM parameters for acceptable script names can automate the detection of malware.

Creating baseline standards for script locations such as /var/opt/scripts and C:\Program Files\<org_name>\ can improve investigation capabilities when code is detected that doesn’t comply with the naming convention or storage parameters. Even the most sophisticated threat actors are unlikely to perform reconnaissance on enterprise naming convention baselines before creating a backdoor and hiding a script. SIEM rules can trigger a response from the moment a suspiciously named script begins to run or a code file is moved into an unauthorized storage location.

Scaling Security Response With Standards

Meaningful threats to enterprise data security often fly under the radar of even the most sophisticated threat detection solutions when there’s no baseline to define acceptable activity. SOC analysts have more technological capabilities than ever, but many are struggling to optimize detection and response with effective SIEM use cases.

Clear, scalable systems to define policies for acceptable activity create order in chaos. The smartest approach to creating effective SIEM use cases relies on standards, a strong naming convention and sound policy. It’s impossible to accurately understand risks without a clear framework for authorized activities. Standards, baselines and naming conventions can remove barriers to effective threat detection and response.

The post Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions appeared first on Security Intelligence.

Need a Sounding Board for Your Incident Response Plan? Join a Security Community

Incident response teams face myriad uphill battles, such as the cybersecurity skills shortage, floods of security alerts and increasing IT complexity, to name just a few. These challenges often overwhelm security teams and leave security operations center (SOC) directors searching for strategies to maximize the productivity of their current team and technologies to build a capable incident response plan.

One emerging solution is a familiar one: an ecosystem of developer and expert communities. Collaborative online forums have always been a critical part of the cybersecurity industry, and communities dedicated to incident response are growing more robust than ever.

How to Get Involved in a Developer Community

Incident response communities can be a crucial resource to give security analysts access to hands-on, battle-tested experience. They can deliver highly valuable, lightweight, easy-to-use integrations that can be deployed quickly. Community-driven security can also provide playbooks, standard operating procedures (SOPs), best practices and troubleshooting tips. Most importantly, they can help foster innovation by serving as a sounding board for your team’s ideas and introduce you to new strategies and techniques.

That all sounds great, but how do you know what community can best address your incident response needs? Where do you begin? Below are a few steps to help you get started.

1. Find the Communities That Are Most Relevant to You

To combat new threats that are being coordinated in real time, more and more vendors and services are fostering their own communities. Identify which ones are most relevant to your industry and business goals.

To start, narrow down your search based on the security products you use every day. In all likelihood, you’ll find users in these product-based communities who have faced similar challenges or have run into the same issues as your team.

Once you’ve selected the most relevant communities, make sure you sign up for constant updates. Join discussion forums, opt in to regular updates, and check back frequently for new blogs and other content. By keeping close tabs on these conversations, you can continuously review whether the communities you’ve joined are still relevant and valuable to your business.

2. Identify Existing Gaps in Your Security Processes

Communities are disparate and wide-ranging. Establishing your needs first will save you time and make communities more valuable to you. By identifying what type of intelligence you need to enhance your security strategy and incident response plan ahead of time, you can be confident that you’re joining the right channels and interacting with like-minded users.

Discussion forums are full of valuable information from other users who have probably had to patch up many of the same security gaps that affect your business. These forums also provide a window into the wider purpose of the community; aligning your identified gaps with this mission will help you maximize the value of your interactions.

3. Contribute to the Conversation

By taking part in these conversations, you can uncover unexpected benefits and give your team a sounding board among other users. As a security practitioner, it should be a priority to contribute direct and honest information to the community and perpetuate an industrywide culture of information sharing. Real-time, responsive feedback is a great tool to help you build a better security strategy and align a response plan to the current threat landscape.

Contributing to a community can take various forms. Community-based forums and Slack channels give developers a voice across the organization. By leveraging this mode of communication, you can bring important intelligence to the surface that might otherwise go under the radar. Forum discussions can also expose you to new perspectives from a diverse range of sources.

A Successful Incident Response Plan Starts With Collaboration

For its part, IBM Security gathers insights from experienced users across all its products in the IBM Security Community portal. Through this initiative, IBM has expanded its global network to connect like-minded people in cybersecurity. This collaborative network allows us to adapt to new developments as rapidly as threats evolve.

Collaboration has always been cybercriminals’ greatest weapon. It creates massive challenges for the cybersecurity industry and requires us to fight back with a united front of our own. With the support of an entire security community behind you, incident response tasks won’t seem so overwhelming and your resource-strapped SOC will have all the threat data it needs to protect your business.

Discover Community Day at Think 2019

The post Need a Sounding Board for Your Incident Response Plan? Join a Security Community appeared first on Security Intelligence.