Cybersecurity emergencies seem to happen when an organisation feels it is least prepared. And that call for weekend war room is an experience that no CISO and their team want. While it might appear to be a bolt out of the blue, in my experience, it is more like a slow rolling thunder that builds into a loud clap that you can never properly anticipate.
The first way to take control is to ensure that the business has visibility. There is no doubting that gaining visibility of threats and vulnerabilities is not easy, but it is fundamental. Can you see everything in the environment?
All organisations accumulate logs but what is essential is to have context
Do not mistake visibility to be simply about logging. All organisations accumulate logs of one sort or another from any number of different systems. This can be useful, but what is essential is to have context. This gives you the powerful capability to correlate log activity from the different domains and enclaves you have within an environment. From this, the challenge is for a human to sit in the middle, correlate the information, put context around it, and then be in a position to respond.
Do not mistake visibility to be simply about logging
Integrating different logs and visibility tools takes you so far on adopting a more proactive approach. The next step is how the best security operations centers that confront security incidents often make use of a standardised framework that helps to define what security responses are needed.
The weekend war room is a product of reactive management. Yet that does not mean that there should not be a weekday war room. Proactive organisations should have periodic assessments with IT security staff and management. Engaging key stakeholders simply and regularly can make all the difference.
The challenge is for a human to sit in the middle, correlate the information, put context around it, and then be in a position to respond
For a successful war room, the dashboard and any associated reports should show the relative level of risk associated with vulnerabilities in the organisation and a timeline of when they will be fixed.
Some other facets of the dashboard help reduce the pain of tackling with a security incident. It is important for the organisation to know and show what is connected to a network. Trying to figure that out after an incident has occurred is never a pleasant task. The dashboard and associated reports should also provide context around security alerts in a way that’s easily understandable to help determine
The next step is how the best security operations centers often make use of a standardised framework
Organisations should actively track incidents so that executives can easily see if there have been any attempts to detonate malicious software within the enterprise—and whether or not those attempts were blocked.
The weekend war room is a product of reactive management
Having visibility and a clear picture of the health and maturity of security operations underpins a proactive security organisation. Taking a proactive approach to security does not just help save the weekend—it can help solve the difficulties of IT security staffing too. By integrating visibility and automation that enable a proactive approach, an organisation can speed up routine tasks, freeing up sometimes scarce security analyst resource to do more high-level, human-intensive work.
That does not mean that there should not be a weekday war room
No one wants to get that call to join a weekend war room, ruining precious time with family and friends. The key to preventing that outcome is to embrace a proactive strategy that provides visibility and context that help identify risks before they become weekend war room incidents.
Proactive organisations should have periodic assessments with IT security, while engaging key stakeholders simply and regularly can make all the difference.