Cyber Security Strategy; A Pound of Cure

Scott Millis

by Scott Millis – Chief Security Strategy Officer at ISC8

As I said in a previous posting, “when one is sick, one wants a cure and lots of it”.  For security professionals there is usually a very high urgency attached to any infection event, so perhaps the emergency room metaphor is appropriate.  It’s straightforward to describe:  Immediate action in a prescribed order of precedence until the patient is stabilized and can be transferred to less urgent treatment setting.   Complete and precise documentation of every action taken, drugs administered, reactions and vital signs are all required in order to eliminate mistakes and educate those farther down the treatment chain. 

(I’m sure all health care professionals will take umbrage with my simplification of their important life-saving work, and who could blame them?  It’s obviously not that simple, but bear with me just a bit longer.)

Does this scenario accurately describe the part of the corporate security organization charged with incident response?   Is your security operations center (SOC) set up for rapid action, using prescribed procedures? Are you documenting progress and observations with medical precision?  Are you educating the rest of the organization on actions taken, why, results?

I’m sure for many of us the answer would be a triumphal “YES!”  Some of the rest of us are still working to get there, or to improve what we’ve got.  A few of us may know generally what we need to do, but need some help to step up our game.  I’ll have some thoughts on this important topic soon, and clearly we need to continue to be uber-responsive to our “walk-in trauma victims” when they present themselves.  I hope you will join in the dialogue.

But think about this too:  it’s easy to jump into action when the patient is delivered to you in an ambulance.  How do we find the ones lying in the street somewhere in our neighborhood (network)?  That’s right –right now there are infected systems in your network.  Hopefully they are few and dormant.  Once you detect them, incident response will be critical. 

We’ll talk about HOW to DETECT them next.