© Eric C. Thompson 2018

Eric C. ThompsonCybersecurity Incident Responsehttps://doi.org/10.1007/978-1-4842-3870-7_2

2. Necessary Prerequisites

Eric C. Thompson¹ 

(1)

Lisle, Illinois, USA

 

Prior to building the incident response program, specific capabilities must exist. At a minimum, these should include adoption of a chosen framework; an understanding of the assets the entity must focus on protecting; documentation of the risks to the confidentiality, integrity, and availability of the assets; and assurance that all fundamental protective capabilities exist. Examples of these capabilities include:

• Access-control processes and restriction of elevated privileges

• Protection from misuse of data in motion, in use, and at rest

• Hardening of hardware, based on established standards

• Understanding and management of vulnerabilities

• Existence of communication and control network protections (firewalls, etc.)

Establishing the Identify and Protect Functions

Cybersecurity is a cost function, one not viewed as a driver of revenue for an organization. Rarely does the information security program get noticed when things are going well. Cybersecurity leaders must continually justify a program’s expense and need for full-time employees (FTEs). A business may never see value in cybersecurity until a crisis is averted or mitigated successfully. More likely, security gets blamed when a breach occurs. Despite these challenges, cybersecurity must work through these challenges to protect an entity’s assets. The first step is to define the cybersecurity program through the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), as outlined in Figure 2-1, by creating a strategy aligned with the NIST CSF:

Figure 2-1

Components of the cybersecurity program required to build a highly effective response program

Defined Cybersecurity Program

To achieve the goal of incident response, which is to mitigate the impact of events, incidents, and breaches, the entire cybersecurity program must operate effectively, not just the response and recovery programs. The program should be driven by purpose and mission, communicated to all members of the cybersecurity team, which, in turn, should be aligned and working toward the same objectives.

Cybersecurity shall relentlessly protect our patient’s health information by establishing effective, fundamental Identify and Protect capabilities and building world-class Detect, Response and Recover capabilities.

This healthcare provider example of a mission statement also describes the strategy for protecting patient information. The mission and purpose are to relentlessly protect patient information, and the strategy is focused on building fundamental identification and protection capabilities, then world-class detection, response, and recover capabilities. All of the preceding components (see Figure 2-1) are derived from subcategories within the NIST CSF.

After establishing the purpose and mission, the program is assessed and measured to determine the maturity and effectiveness of the current state. Measuring the current state drives the road map for meeting the mission. Using a three-year time horizon, annual objectives push the program forward. Creating accountability for the who, what, where, when, and how of achieving program objectives; forming subprograms; and achieving alignment with the mission come next.

A Programmatic Approach

Building cybersecurity programs leads to measurement and improvement actions that continue year over year. Domain thinking might lead to focusing on competencies and one-and-done approaches for certain capabilities. For example, the Protective Technology subcategory of the NIST CSF Protect category. Implementing firewalls managed by a security engineer could lead some to feel the network perimeter is sufficiently protected. No additional effort is required for this subcategory. Programs are continuous. Iterations, cycles, or sprints (the terms do not matter) occur with defined milestones. Once those milestones are met, new ones are created. In terms of a cybersecurity program, the hope is that milestones become more incremental as the program matures.

Identifying Programs

The Protective Technology subcategory logically fits into a network protection program. The program leader and team should focus on ensuring that fundamental technology is implemented. People and process components keep devices configured according to secure leading practices. Highly mature programs track specific metrics and analyze each according to criteria established by the entity, such as the following: Was traffic blocked incorrectly? Was malicious traffic missed? Were configuration changes made without approval or insecure configurations found? This data is used during annual planning and budget exercises to identify improvements in people, processes, and technology, to make the program more effective. In a program-centric environment, this ritual occurs annually, to ensure that the program remains on track to meet the organization’s needs. Figure 2-2 illustrates examples of programs entities may create within the NIST CSF.

Figure 2-2

Examples of individual cybersecurity programs within the ABC Cybersecurity Program

An incident response program is an essential component of a cybersecurity program. Each CSF component serves to make the others better and able to meet the cybersecurity organization’s objectives. As outlined earlier in the chapter, an incident response program will not meet its objectives if programs such as access management, data protection, information protection, and all others are not following effective program management.

How Does Each Program Support Incident Response ?

Incident response, as a program, is vital to an entity so that damage from attacks is limited. Incident response is not a stand-alone program. Without effective programs supporting it, limited capabilities exist to quickly detect, contain, eradicate, and recover from breaches. Figure 2-3 shows examples of how each program contributes to incident response.

Figure 2-3

Examples of how each cybersecurity program within an entity supports incident response. Deficiencies in each program reduce the effectiveness of the incident response program.

Summary

Prior to acting on the desire to build a best-in-class incident response program, it is necessary to establish the capabilities outlined in the Identify and Protect Functions of the NIST CSF. These NIST CSF functions, as part of cybersecurity programs supporting the incident response program, must be fundamentally effective. Without governance, risk management, asset management, network protection, threat management, access management, change control, training and awareness, and business continuity/disaster recovery, it is nearly impossible for the incident response program to be effective. Each of the programs outlined executes key activities required for incident response to be effective. Without these, the potential for incident response to meet the entity’s needs is limited.