The Human Element of Incident Response – Part Three
By Vanessa Pegueros
DocuSign Chief Information Security Officer
There is an extraordinary amount of money and time spent on detection and response relative to cybersecurity, and much of this conversation is technology focused. In this series of articles, DocuSign CISO Vanessa Pegueros explores a different aspect of incident response — the human being. She asserts that people ultimately orchestrate incident response and the care and development of employees should be at least as important as the development of technology, and she offers items to consider relative to developing the human elements of incident response.
Part Three - Preventing Level One Trauma During Incident Response
In my previous article, I discussed the human response to dangerous and life threatening situations. As a part of researching this topic, I have read numerous books and articles related to human trauma and how humans respond to trauma, authoring a paper published in sans.org entitled, “Lessons Learned from the Treatment of Trauma in Individuals and Organizations Under Repeated Cyber Attacks.”
A key take away from my research is that without an effective escape from the dangerous situation, symptoms of level 1 trauma (reptilian brain response, i.e. fight, flight or freeze) may cause long-term negative impacts. I contend that organizations experience similar effects when facing persistent cyberattacks or a serious breach. Understanding that it is not possible to prevent all potential attacks, what can security leaders do to minimize the impact of trauma for their staff so that they are performing at the optimal level?
The key is to enable your teams to move out of level 1 response into the higher value areas of brain functioning, which include modes such as interaction, thinking, planning and relationship. Automation is a key enabler to helping teams move and stay out of a level 1 response.
At a high level, the steps to incident response based on NIST 800-61 rev 2 include: 1) preparation; 2) detection and analysis; 3) containment, eradication and recovery; and 4) post-incident activity. Automation is key to steps two and three.
The security industry is quickly coalescing around the criticality for automation as well as embracing new, emerging categories, such as security orchestration and automated incident response. It is a natural evolution in this space, as many teams struggle with increasing volume and complexity of cyber events and a shortage of qualified incident responders.
As security tools and APIs have matured, there is more opportunity to integrate external threat intelligence (IOCs, hash values, IPs) with internal information (logs, netflow data, malware samples) to provide better automation. The realities of the threats are driving solutions being developed by startups to address these complexities, fueled by venture capital money. But having proper automation in place will allow humans to focus on the higher level processing and stay out of the reptilian response mode, thus preventing any long-term impacts of trauma.
Next, CISOs should focus on developing capabilities around process and communication related to incident response. CISOs should look at alignment with the incident process of the larger organization, to ensure understanding and training around the process as well as having a strong communication plan in place at all levels of the organization.
Typically, most organizations have an incident response process for functions outside of security, whether in their production operations or within corporate IT. These processes must be integrated as much as possible when developing the security incident response process. Integration includes the severity rating nomenclature, the SLAs for resolution, and the escalation process and procedures.
Relative to communication, having a predefined approach is important. The communication plan should be well understood, with employees at all levels of the organization trained.
During the incident, the predefined communication vehicles (emails, company website, employee intranet, etc..) must be updated regularly, and employees should be aware of how they will be informed and what they should do with the information. Regular communication to the organization will build trust of the employees/executives and reduce the chance for longer term traumatic effects to the organization.
If a bridge line is utilized for communication during an incident, a best practice is to establish two different lines – one for the core incident team addressing the issue, and a separate bridge line for executives. Having two different lines will help the core team perform their duties without the potential involvement of executives that may prove distracting.
Finally, consider the resilience and learning of the organization. Because of the potential magnitude of this trauma, it is important to approach resilience and learning in a comprehensive and holistic manner involving all critical parts of the organization.
The incident response team should extend beyond technical teams, with representation from Customer Care, Marketing, HR, Legal, Public Relations, C-level Executives and the Board. Not every incident will involve every function, but all functions should be trained and ready to respond if needed.
The most effective way to train these groups is to conduct incident response exercises, ideally on a quarterly basis at a minimum. But simply conducting the exercise is not enough – the lessons learned and associated action items must be incorporated in order to promote organizational learning. Following up on action items is critical to making real change in the process and the organizational approach to incident response.
In my final piece of this 4-part series, I will discuss the role of executive management and the Board relative to this topic. I will also make some recommendations for improvement by these key organizational leaders.