Preface: This is the first installment of a 3-part blog series called “Stories from the Front Lines”. Each installment will feature a different user story, inspired by real D3’s projects and interactions with customers. Each will illustrate a common problem, and explore an effective solution with the appropriate software-tools.
Meet Ashley, a senior incident responder in the cyber SOC of a major North American bank. Specializing in the detection and remediation of malicious code, Ashley spends a good portion of her day wading through an avalanche of SIEM events. Like most organizations, the bank has had trouble hiring and retaining qualified cyber analysts. The daily volume of notable events keeps mounting, and Ashley is getting overwhelmed – the SIEM is alerting her to far more events than she and her team can possibly handle.
Ashley has seen the numbers, and knows the bank is being constantly bombarded by phishing attacks. She suspects that a significant proportion of the malicious code she deals with is gaining entry to the bank’s network in this manner, through what amounts to basic human error. She knows that, in general, staff members simply aren’t well-versed in basic cyber security, and they’re often fooled into clicking on links they shouldn’t, hundreds of times every day across the enterprise. Searching for a solution to this problem, she thinks an education campaign could have a significant impact, and brings the idea to her manager. Being well aware of the problem he agrees with her, but replies that large-scale training comes at a significant cost, and he doesn’t have the data to make a business case to sell the concept to upper management.
Ashley is worried not only that she cannot do her job effectively, but that this leaves the bank exposed to a major risk of data breach, liability, and brand reputation… If there is a potential solution within reach, how to get this message across to the decision-makers who have to foot the bill?
In 2016, we often see millions of dollars poured into detection and remediation technologies, and for good cause (the massive risk posed to major organizations by cyber incidents has been well-documented). However, as illustrated in the commonplace example above, organizations sometimes lack an effective process for the oft-neglected, but critical step of closing the (incident management) loop. In cyber security, “closing the loop” means that the cyber incident management team has to incorporate a feedback mechanism to improve its own processes going forward. Practically speaking, this means organizations need to be learning from their own real world incidents, analyzing not only actual impacts, but potential ones, in order to quantify and qualify their impact on the business, and using this information to adapt prevention and response strategies.
While it is easy to say, this approach poses some major challenges in the real world. Taking into account the sheer volume of cyber-events crossing an analyst’s desk each day, it takes a committed and disciplined security program, and a systematic approach, to effectively execute post incident investigations, and attribute each incident to a breakdown in the defenses: a root cause. However, failing to implement changes and corrective actions based on lessons learned fails to capitalize on one of the most important tools a cyber security team has in its tool belt: continuous adaptation and improvement. This failure may contribute to any number undesirable outcomes, including one so basic as Ashley’s above, where the incident responders on the front lines know intuitively what the root cause of the problem is, but don’t have the hard data to present the situation, or make an effective business case to the c-suite on how to implement a solution.
So long as incidents and response processes are logged on spreadsheets and shared drives, management will not have the necessary transparency into incident volumes, frequencies, severities, and most importantly root causes, that are crucial to making informed decisions for the enterprise. It sounds strange to say, but cyber security teams are behind their peers in accounting, HR, and operations when it comes to the adoption of enterprise-grade MIS systems. And until this changes, the critical, actionable information that is so critical to the executive-class will fail to reach them in any consistent or meaningful way.
To learn how D3 can provide value to your organization, click on the button below to schedule a personalized demo.