Game Time: The Role of Special Teams in Incident Response
We find ourselves in the middle of football season as we tackle the NIST Cybersecurity Framework’s “Respond” function. The first category, Response Planning, comes down to one thing: effective execution.
Of course, being matched up against an opponent that doesn’t play by the rules presents certain challenges. In response, think big. It may be time for the entire team to take to the field. But not in a bench-clearing brawl sort of way. Instead, your organization might consider fielding three special teams, all at once, and with purpose and discipline:
The Network Security Team
Typically anchored by the Chief Information Security Officer, with considerable playing time given to forensic consultants, this is the crucial defensive line of incident response that turns detection into action. Some responses will be automated; others will require a manual review of logs and case-by-case decision-making. These defenders primarily are focused on two things: calling the plays for the defensive effort, while isolating and protecting the most critical data and systems (perhaps even reconfiguring the playing field mid-game!). Members of this group will assess and categorize the severity of events and follow escalation procedures, determine how to harden the environment against further attack, consider whether to adjust anomaly detection rules, and capture lessons learned.
The Business Team
Should the hackers advance into corporate territory, risk-conscious and security-aware executives may need to step in and simultaneously quarterback the offense and defense. Business leaders should consider the impact a major incident can have on operations, determine the overall game plan, and then call the formation. On offense, the most important task for this team is to keep the key business objectives on the field and driving towards the end zone. On defense, leaders will consider when to launch business continuity plans, approve crisis communications, and conduct ongoing business impact analyses to ensure accurate stock filings and Board oversight.
The Legal Team
The last line of defense should be led by the legal department and outside counsel. These safeties (ever-strong, never free) get to the bottom of a company’s legal obligations and liability exposure with perfect timing and anticipation, while helping to preserve attorney client privilege. They are focused on helping the other two teams stop the bad guys and achieve business success without getting a penalty or fine. They also are versatile, covering a wide range of external players, including law enforcement, insurance carriers, shareholders, regulators, data breach notification experts and media.
Pulling all of this together, the comparison of incident response to a team sport is apt. Companies must suit up, organize and align a wide range of specialized players when responding to significant events. Fortunately, the defenders routinely shut down major offensives. Still, keeping the opposing team from scoring is important, but it does not ensure victory. In order to win, companies simultaneously must play offense, by moving around the hackers and relentlessly pursuing their own goals. Hmmm. Perhaps I should have compared this to European football!