Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-12-24 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Incident Response at Sony

Published: 2014-12-24
Last Updated: 2014-12-24 22:41:18 UTC
by Rick Wanner (Version: 1)
3 comment(s)

For those of you who are not aware; Sony currently has a job posting for a Manager of Incident Response. Where I come from they refer to that as “closing the barn door after the horse has got out”, They do need to start somewhere and all in all it sounds like a cool job for an experienced Incident Handler. They do mention SANS certifications. Of course they do put SANS certifications on the same level as CISSP and CISM, but it is a step.

My piece of advice for the new IR manager at Sony is to go back and review, and update, their incident response plans since the Sony response to this incident was farcical at best.  Matthew Schwartz at InfoRiskToday has published a post describing “Sony’s 7 Breach Response Mistakes”. If you want to see the details please go over and read his article, but to summarize he says that the 7 mistakes were:

  1. Failure to spot the Breach
  2. Poor breach response
  3. Shooting the messenger
  4. Contradicting themselves
  5. Ceding control of the conversation
  6. Failure to Take Responsibility
  7. Hoarding old emails

Those of you who are students of the SANS Incident Response methodology will be aware that the methodology uses the pneumonic of PICERL; Preparation, Identification, Containment, Eradication,  Recovery, and Lessons Learned. Assuming that Sony had an IR plan, and followed it, comparing this methodology to the Sony “mistakes”,  it struck me that most of Sony’s failures resulted from insufficient time spent in Preparation.

Most people think of preparation as making sure you have the proper preventive and detective controls in place to hopefully prevent, and if not, detect a breach.  But preparation needs to include many other aspects including, an incident management framework, a response strategy, and a communication plan.

The incident management framework defines every aspect of your incident response team, from who the participants are to who is in charge to how the team communication will work.  In most companies IR has become a technical IT function.  While having the correct technical resources to respond to an incident is important, having the correct management structure in place to effectively manage the incident is equally important. Don’t forget to include legal and communications functions in the incident response team. They will be indispensable in a public breach. 

The response strategy comprises the processes and procedures that will be used in the case of an incident.  One great way to develop these processes and procedures is to run table top exercises and mock incident exercises with the IR team.  The output of these exercises should be moderately detailed plans to handle these incidents. By anticipating common scenarios in advance of an incident leads to the actual response to an incident being smoother and less stressful when an incident actually occurs.  It is not possible to anticipate every conceivable incident, but think of the processes and procedures as building blocks that can be reused and modified in the case of a real incident.

An important part of any public incident is effective communication with the press and your external stakeholders such as customers and shareholders.  An important part of this is going to be to get your legal and communications people on the same page as your executive.  The time to be figuring out what you will and won’t release publicly is not in the heat of an incident.  In my experience this usually leads to paralysis and ultimately looks like you have something to hide or are trying to mislead. Much the same as your incident strategy, the communication plan is best divised in advance as part of the mock incidents and table top exercises. In my opinion communicating the truth, early and often, is the best approach. The communication function was where Sony fell down the worst, both with internal and external communications.

With this in mind it seems like a good time for all of us to review our IR plans in the light of some of the high profile breaches this year.

-- Rick Wanner - rwanner at isc dot sans dot edu- http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

3 comment(s)

Grown Up Security Christmas List

Published: 2014-12-24
Last Updated: 2014-12-24 15:27:30 UTC
by Rick Wanner (Version: 1)
4 comment(s)

My wife is a Christmas music junkie.  Starting right after Remembrance Day every moment in our house or car is filled with the sounds of Christmas music, either from her own iTunes collection (currently 623 songs and growing yearly), or streamed from the Internet or satellite radio.  Every year there seems to be one song that becomes that ear worm and sticks with me for the entire Christmas season.  A couple of years ago it was "Oh Holy Night", another it was "I Want a Hippopotamus for Christmas", this year I discovered a new one, at least to me. "My Grown Up Christmas List".  The song was written by Canadian David Foster and his then wife Linda Thompson-Jenner.  It was originally recorded by David Foster with vocals by Natalie Cole in 1990, but probably the most famous version was recorded by Amy Grant in 1992, although it has been covered many times since.  The jist of the song is that we should not be asking Santa Claus for more stuff for Christmas, but that we our Christmas list should ask to solve society and the world's problems. Definitely a good sentiment in these uncertain times.

Today I got thinking...if the ISC were to have a Grown Up Security Christmas list, what would be on it?

Please submit your ideas via the forum comments, or via our contact page.

-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords:
4 comment(s)
Diary Archives