The importance of cooperation during a security response

• Put aside differences to collaborate for better incident response
• Constantly ask questions and re-evaluate objects to stay focused

THE call one gets from the security incident response (IR) team, in the wake of a security breach or cyber-attack, is the call that no one ever looks forward to hearing.

In the aftermath of an attack, organisations often find their IT teams at their wits end; unable to systematically mitigate losses and restore services. Why does this happen and is there a better way for organisations to be prepared for these instances?

That was the question asked during a rather unusual session at the 30th Annual FIRST Conference in Kuala Lumpur where Microsoft cloud artificial intelligence security response lead Ben Ridgway (pic) discussed Security Response Survival Skills.

He went on to explain that sometimes security incidents can personally affect even responders which often leads to them not following processes when dealing with sensitive software systems. This, in turn, could derail an operation when mistakes are made and the wrong systems are shut down in response.

Ridgway’s first advice for companies dealing with difficult IR situations is to ensure that they have an experienced and competent instance manager. This is crucial as their team is often unsure and look towards him or her to go forward with a logical and rational response.

Even if the IR manager is not experienced and has stepped up, the most they can do is open their ears and just make the first step forward. “Everyone is faking it to some level. You don’t know and are scared but you still need to move forward anyway. As you do, the next steps are presented to you and just pay attention as they come,” he said.

If all else fails, a simple way to ground oneself is to ask questions on the team’s plan of execution and work together. By constantly re-evaluating the objective, Ridgway finds that the team would avoid wasting energy.

On that note, he observes that security responders often charge in and act like the knight in shining armour trying to save the day when all they are really doing is adversarial.

A better way to go about this, he finds, is to ensure that everyone works together as a cohesive unit and arrives at a solution together. Show respect and recognition so that people don’t need to feel that they need to be on their guard.

Regardless of how prepared one may be, it always pays to do dry runs over and over again to get people used to what may happen when a crisis does occur. He notes that even a company’s leadership should be involved in these drills as they need to know how they should be communicating with their people during such incidents.

So how does one build a good IR team that can stay calm under fire? Having good procedures and a firm organisational structure, not unlike that in the military or police force, can help keep things together.

Lastly, he stressed that establishing firm accountability is crucial as well as recognising when one needs to step away when they are stressed and know that there is no shame in doing that.

Related Stories:

Gartner’s cloud scorecard reveals new findings

Threat information sharing group for central banks, regulators and supervisors

Good bots vs. Bad bots