According to one survey, 95% of organizations outsource part or all of their Security Operations Center[i], and that includes incident management. Is leveraging third party expertise the most effective way to obtain security incident management services?
Developing in house capability for security management has a lot of benefits. Your organization has a function with full responsibility for its detection and response capabilities, and there are very high levels of customization available for the people, process and technology involved in that function. However, this comes at a cost: effective incident management capability requires significant up front and ongoing investments. An organization must be dedicated to staying at the cutting edge of cyber defense – and this takes a lot of continuous investment in equipment, people, research and time.
What is Incident Management?
Security incident management is the process of detecting and responding to cyber security incidents, including threats, as they occur.
Incidents vary in severity and impact. Examples could include the typical internet “noise” of drive by attacks through to real targeted attacks by dedicated threat actors. They could also include behavior by regular employees or third party suppliers that, while not intentionally malicious, violates one or more processes or policies that your organization has.
The Incident Management Process
There are a few layers to an effective cyber security incident management process: strong people, process and technology are all mandatory.
- You’ll need a dedicated team of cyber security professionals who are driven to constantly hone their tradecraft. A team culture of excellence and of purpose is of utmost importance.
- Those people will need to behave consistently, deliberately and calmly - especially while working a live incident. Mature processes, including playbooks, for all facets of incident management is key.
- It is likely that there will need to be automation and orchestration across various pieces of software and other technology.
Attracting and retaining the best people is the foundation for your process and technology to work effectively, but ultimately, the three elements are like the legs on a stool: take one away and the stool no longer functions.
Often, an incident starts with an alert. A member of the defensive function will then analyze that alert, triage it and, if necessary, escalate it to the incident response function. The ISO 27035[ii] standard details a five step cycle that helps to break down a mature cyber security incident management process flow into bite size chunks:
- Plan and Prepare. You must establish a cyber security incident management policy, as well as establish an incident response team.
- Detection and Reporting. It’s important to have a mechanism to identify events that may become alerts and even incidents.
- Assessment and Decision. Those events and alerts must be triaged. Are they a false positive or do they represent a real threat?
- A confirmed incident must be contained and eradicated. Recovery is also of key importance.
- Lessons Learned. As with any effective process, there should be an internal debrief where lessons learned are identified and acted on. Each incident is an opportunity to further improve your cyber security posture.
The specifics of implementing these ideas can and do vary between organizations, but the foundations of a successful incident management function always remain the same.
In House or Third Party?
There’s no “right answer” to the question of whether to build an incident management function in house or to delegate it to a third party specialist. Each organization is different, and there are good reasons to choose either.
An effective in house function can potentially yield greater flexibility, customization and integration with the business. However, that comes at great cost, time and effort. According to Gartner[iii], global spending on information security is due to hit $124 billion in 2019. A significant portion of this spending will be on information security management systems.
An organization must also be dedicated to becoming and maintaining a status of cyber defense experts in order to have an effective defense function. It’s a domain that requires high levels of expertise. According to the Congressional Report[iv] on the well-known Equifax data breach, an expired SSL certificate prevented their intrusion detection system from picking up on the attack as it happened. There are thousands of considerations for a defensive team, and a small oversight in any of them can have magnified consequences.
We have worked closely with organizations who had the objective of building their own internal incident management functionality. Those organizations are typically very large multinationals, and with dedication, it’s been possible for them to attain a fully operational internal function in around two years. One of the biggest challenges for those organizations has been attracting the right people and talent. People are the foundation of any successful business unit, and the highest performing cyber security professionals often prefer working for dedicated cyber security consultancies, where they’re exposed to a wide variety of clients. Creating an appealing and high performing cyber security culture is often a challenge that is very difficult to overcome.
On the other hand, there are organizations of all sizes who opt to leverage third party experts for their incident management needs. Unless your organization has the resources and determination to become absolute experts in cyber defense, leveraging third parties for some or all incident management needs is likely to be the most efficient and cost-effective approach. The time from zero capability to full capability is much smaller than with in house development, and a third-party provider will be able to leverage economies of scale in order to reduce costs. As a very real additional benefit, the right vendor will serve as a trusted cyber security partner over the long term, rather than a passive service provider.
There is no right or wrong answer to the question of “in house” or “third party”; a range of variables, many of which have been outlined here, must be thoroughly considered. We’ve helped many organizations work their way through this process and define the best strategy for them.
Incident Management Solutions - Vendor Selection
If you decide to engage with a third party to use their expertise in cyber security incident management, it is vital that you select one that excels in your required capabilities and who shares your own organization’s values.
Generally speaking, a competent vendor will have the following capabilities and traits:
- A research and development team. Developing new capabilities, and continuously integrating them into the incident management solution, is key to maintaining top tier defensive capabilities.
- An offensive security team. Often referred to as a red team, this gives the vendor the capability to truly understand the current state of the art when it comes to the tactics, techniques and procedures available to various threat actors. If the red team works closely with the incident management team, they can enter a symbiotic relationship where both offensive and defensive security skills improve.
- A threat intelligence team. Understanding different threat actors, and their tactics, techniques and procedures, is very important to effective response and incident management. Defending and responding to the unknown is difficult, and not likely to yield a high quality service.
- A 24 hour security operations center. Attackers don’t all work 9-5 in a given time zone, and neither should your defenders. An incident could unfold at any time of the day, and a high quality vendor will have a strong and capable set of people on 24 hour rotation.
- An incident response team. In the event of a confirmed incident, what will your vendor do? Incident management requires incident managers and incident responders. There must be a team that can efficiently and calmly determine the specifics of a cyber incident: origin, scope, etc. They must be able to help with containment and recovery, too. This process must be well managed and have specific output, e.g. a report and debrief, with actionable information.
- A team of highly competent and driven people who have the right professional experience, certification, and passion. The culture of the incident management team, and the vendor as a whole, is really important.
- A sensible set of data protection measures. The vendor will have access to a lot of your own organization's sensitive data. As a minimum, look for the basics, for example ISO 27001 certification, a breach notification policy, and a sense that they take your data security very seriously.
- A desire for long term partnership. Avoid vendors who seem to want to close a deal at any cost with a “one size fits all” approach. The best value will come from a partnership. The vendor should be taking the time to truly understand your current objectives and capabilities, as well as your vision for the future. They should demonstrate a desire to be a true cyber security partner and trusted advisor.
- A desire for collaboration. This is closely related to the desire for partnership. Find a service provider that values your understanding of your own business, that works hard to assess your needs, and that helps to not only fill those gaps but to educate you on how to develop over time. They should help you to build maturity and, essentially, operate as an extension of your own team.
It’s important to note that this list is not exhaustive, and your requirements will almost certainly vary. That, in itself, is a great place to start. Before you speak to a third party, make sure your organization has determined its incident management objectives, current strengths and weaknesses, etc. If your primary motivation is compliance, that will likely drive a very different set of selection criteria than if it’s because you’ve experienced a recent breach or other incident.
For most organizations, we recommend some or all cyber security incident management capability is outsourced. This approach typically provides a lower cost of operation, as well as providing a fast track to many compliance requirements. For those who go the in-house route, we recommend outside expert help with the initial setup.
Careful consideration of your organization's objectives and resources will be key in determining the exact approach. There is no “one size fits all” approach and a competent and trustworthy third-party provider will be able to help your organization navigate these issues.