Throughout history, those protecting something of value have been at a distinct disadvantage. One example is the notorious James-Younger gang known for successfully robbing banks all across the US in the late 1800s. Bank security guards and Pinkerton detectives, try as they might, could not stop Jesse James and his band of outlaws.
Today, the advantage still lies with criminals—in particular, cybercriminals. It's impossible to find and correct every software or hardware flaw, and, like the James-Younger gang, modern data robbers only need one flaw to get in.
SEE: Information security incident reporting policy (Tech Pro Research)
How can we limit damage and get back to normal after a security incident?
Those responsible for maintaining a company's security posture understand network penetrations and data breaches are inevitable, so their goal becomes limiting the damage and returning to normal operation as soon as possible. However, up until recently, implementing something capable of effectively managing unpredictable situations has been difficult at best.
In their paper The Business Evolution: From Incident Management to Critical Event Management, authors from Enterprise Management Associates, an industry analyst and consulting firm, put more of a point on it:
"Most enterprises are at a relatively immature state in managing critical events. EMA research finds the majority of organizations still take a more reactive, ad hoc approach toward applying incident management and response beyond IT. Response activities tend to be highly compartmentalized, with few organizations having programs designed to efficiently marshal the resources necessary to address defined incidents."
When it comes to incidents specific to IT, the paper's authors point out there are Incident-Management (IM) protocols such as ITIL (formerly Information Technology Infrastructure Library) and Incident-Response (IR) tools such as Information Technology Service Management (ITSM) to help IT personnel restore a service following an unplanned interruption or a reduction in service quality. It's relatively common to use IM and IR protocols.
The paper's authors suggest caution when making decisions that affect the entire company based solely on an IT department's perspective. This is where Critical Event Management (CEM) comes to the rescue.
What is Critical Event Management?
The EMA paper's authors define CEM as a method to rapidly form and communicate unified responses to emergency situations, such as terrorist attacks, natural disasters, cyberattacks, major IT outages, industrial accidents, or just about any other type of emergency. Many people consider "unified" the most important word in the above definition. Members from all departments play a role in making decisions, which lessens the possibility of missing or misjudging a critical piece of information (Figure A).
From the paper, here is a list of the activities CEM architectures should employ to be effective.
Assess: What actually happened, and what is the impact? This includes gathering threat data and contextual information needed to assess the magnitude of a risk from a range of sources, including:
- Threat-intelligence feeds;
- IT-system intelligence;
- Public-safety information;
- Weather status and forecast;
- Social-media information; and
- Data from the location of the threat.
Locate: This includes identifying employees and visitors who could be in harm's way, employees needed to resolve the particular event, and key stakeholders affected by the event.
Act: When should the response be started?
Analyze: Review the effectiveness of the incident response. In particular, ask if resources were missing and which tasks took too long in order to identify bottlenecks and improve future incident responses.
Visualize and orchestrate: These important components will help build a complete picture of the security event from multiple and, likely, differing viewpoints.
Communicate and collaborate: Keep employees and key stakeholders informed and abreast of what they need to do.
What are the software components to CEM?
Besides describing what activities the CEM platform should employ, the paper's authors go into detail as to what software functions are needed:
- Rules and policy engine;
- External event ingestion;
- Location awareness;
- Notification engine;
- Contacts database; and
- Open API for integration with other control, notification, and alerting systems.
"In addition, the critical nature of the system requires that redundancy be built into the system to ensure high availability," states the authors of the EMA paper. "Redundancy should span data centers, communications providers, network operations centers, and access points. Redundancy also applies to people."
Critical Event Management solutions are being offered commercially for businesses unable to develop their own CEM platform.
- OnSolve: The company focuses on cloud-based communication and collaboration tools that are capable of delivering notifications and alerts.
- Everbridge: The company provides enterprise software applications that automate and accelerate organizations' operational response to critical events.
- You've been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)
- 100% of corporate networks 'highly vulnerable' to attacks, here's how to secure yours (TechRepublic)
- NIST Cybersecurity Framework: A cheat sheet for professionals (TechRepublic)
- IBM: Fewer records are being breached, but cyber attacks are getting more costly (ZDNet)
- Incident response: What needs to be in a good policy (ZDNet)
- Incident response policy (Tech Pro Research)
Information is my field...Writing is my passion...Coupling the two is my mission.