Cisco security executives laid out five real-world tips enterprise incident response (IR) teams should focus on in dealing with potential cyberattacks. The tips included key technologies and processes those teams should have already deployed or have on hand in order to deal with a security incident.
Those tips were provided by Wendy Nather, who is head of Cisco’s Advisory CISOs, and Cisco’s Director of Threat Intelligence Matt Olney during a virtual panel at this week’s Black Hat cybersecurity event. The two debated IR needs versus the reality CISOs face in planning for security incidents.
Olney brought up five topics that keep coming up in incident response for many years. And Nather explained how to build a sustainable program using evidence-based practices from a CISO’s perspective.
Back Everything UpNather started by stating that a solid backup plan is needed in order to deal with the increase in ransomware attacks. However, she noted that organizations typically have no control over how their third-party providers handle such backups, and reminded companies to move backups offline as soon as completed to block attackers.
Olney added that if a ransomware attack occurs, executives need to determine if it is faster to pay the ransom and decrypt the systems or restore them from backups. However, for the latter, organizations need to backup and restore the entire enterprise, so backups are not a security solution to encryption.
Nather suggested that companies should also have a restore plan, especially for their most centralized and critical systems, and test the backups with their providers.
Don’t Set It and Forget ItOlney then pointed to a pair of related challenges facing IR teams: configuration issues and maintaining a defensive stance against an agile attacker.
Nather cited Cisco’s recent report that showed one of the top practices that had the most impact on security programs’ success was timely incident response. “If you set it and forget it, you are not going to be in any position to know what is normal anymore in that system,” she added.
Practice, Practice, PracticeMost enterprises for various reasons can’t do incident-response practice so they use tabletop exercises and robust incident response planning as substitutes, Olney said.
Even though practice can be costly, some of the most mature organizations do practice every week, Nether explained. She recommended the Twitter account “Tabletop Scenarios,” which tweets different tabletop scenarios for cybersecurity attacks.
Get All Your LogsGetting logs “is the one that I think hurts IR teams the most,” Olney said, adding that they can only work with the logged data.
“Nobody logs at the level that you would like to see as an IR professional,” Nather responded, adding “especially for retention purposes, it is incredibly expensive.”
Olney explained that a moderately sized enterprise could spend millions of dollars on this problem so they have to set technical team priorities to balance the amount of logged data and the retention period.
Olney and Nather suggested that as companies invest in endpoint detection and response (EDR) and two-factor authentication (2FA), they need to loop in their overall logging strategy. And if companies are moving to secure access service edge (SASE) or moving controls into the cloud, they need to rethink their assumptions and recategorize all the data that they’re collecting.
MFA for Compromised Credentials Prevention“If you're only going to do one thing to improve your security” and to address the attack vector of compromised credentials, Nather said, the answer is multi-factor authentication (MFA).
She explained that there are a lot of actors that are running automated scans and automated credential stuffing, and MFA can be an actual deterrent.
“If I had to make a choice between a firewall and an MFA solution I would take the MFA solution,” Olney echoed.
However, Nather did point out that MFA adds friction to the user experience, which is why it's important to choose the right MFA.