Game Time: The Role of Special Teams in Incident Response

November 1, 2016

We find ourselves in the middle of football season as we tackle the NIST Cybersecurity Framework’s “Respond” function. The first category, Response Planning, comes down to one thing: effective execution.

Of course, being matched up against an opponent that doesn’t play by the rules presents certain challenges. In response, think big. It may be time for the entire team to take to the field. But not in a bench-clearing brawl sort of way. Instead, your organization might consider fielding three special teams, all at once, and with purpose and discipline:

The Network Security Team

Typically anchored by the Chief Information Security Officer, with considerable playing time given to forensic consultants, this is the crucial defensive line of incident response that turns detection into action. Some responses will be automated; others will require a manual review of logs and case-by-case decision-making. These defenders primarily are focused on two things: calling the plays for the defensive effort, while isolating and protecting the most critical data and systems (perhaps even reconfiguring the playing field mid-game!). Members of this group will assess and categorize the severity of events and follow escalation procedures, determine how to harden the environment against further attack, consider whether to adjust anomaly detection rules, and capture lessons learned.

The Business Team

Should the hackers advance into corporate territory, risk-conscious and security-aware executives may need to step in and simultaneously quarterback the offense and defense. Business leaders should consider the impact a major incident can have on operations, determine the overall game plan, and then call the formation. On offense, the most important task for this team is to keep the key business objectives on the field and driving towards the end zone. On defense, leaders will consider when to launch business continuity plans, approve crisis communications, and conduct ongoing business impact analyses to ensure accurate stock filings and Board oversight.

The Legal Team

The last line of defense should be led by the legal department and outside counsel. These safeties (ever-strong, never free) get to the bottom of a company’s legal obligations and liability exposure with perfect timing and anticipation, while helping to preserve attorney client privilege. They are focused on helping the other two teams stop the bad guys and achieve business success without getting a penalty or fine. They also are versatile, covering a wide range of external players, including law enforcement, insurance carriers, shareholders, regulators, data breach notification experts and media.

Pulling all of this together, the comparison of incident response to a team sport is apt. Companies must suit up, organize and align a wide range of specialized players when responding to significant events. Fortunately, the defenders routinely shut down major offensives. Still, keeping the opposing team from scoring is important, but it does not ensure victory. In order to win, companies simultaneously must play offense, by moving around the hackers and relentlessly pursuing their own goals. Hmmm. Perhaps I should have compared this to European football!

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

Game Time: The Role of Special Teams in Incident Response

The Network Security Team

The Business Team

The Legal Team

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

Managing Supply Chain Risk

Security Magazine

2020 October

Game Time: The Role of Special Teams in Incident Response

The Network Security Team

The Business Team

The Legal Team

Recent Articles by Steven Chabinsky

Related Articles

Report Abusive Comment