Anatomy of well-managed malware incident
Published: Jul 21, 2017
Author: Joan Ross
by Joan Ross, Managing Principal, Cybersecurity Its 6a.m. when you, the CISO of an organization, are alerted that zero-day malware is running rampant across the Internet, infecting and spreading across your globally connected business. By now, this type of occurrence is nothing new to you – in fact, some form of malware has existed ever since computing systems evolved. By now you should be well prepared for these types of common events in one of two ways.
Scenario One: You manage the 24/7/365 incident response team of dedicated, trained professionals. They are experts at detecting and containing exactly these types of incidents. You’ve ensured they are well funded and adequately staffed and trained for this type of event, equipped with the necessary tools and technologies required to combat this type of situation. You have established, defined and tested standard operating procedures to ensure no one skips an important step in the heat of the active prevention, containment, and analysis phases. Your staff is not re-tasked or otherwise diverted onto other projects, but have dedicated “eyes-on-glass” alerting and action in place. In fact, one of them is notifying you that they are on alert, prepared and performing their standard procedures. They will keep you apprised as the malware spreads across the globe, paying careful attention to business partner and supplier systems and connections. You educate your entire company personnel, including executives, at least quarterly, on this type of threat. You counsel on how to be cautious, suspicious and resistant to being duped. Your established process to alert employees and business partners has already been enacted. Proper preventive procedures have been enacted by your security personnel across firewalls, email systems, and other venues of infiltration. The malware variant is being analyzed, and your staff is in touch with your vendor for the status of their emergency signature patch.
Scenario Two: You are an experienced CISO and business professional, pragmatic and astute to know that there is inadequate funding to enact or maintain this type of incident response team. Incident response is not your organization’s core competency. Your duty is to inform, advise, and recommend an adequate security solution. This is when your decisions and actions matter for your career, your company, and your customers. You recommend an experienced company well-known for their cyber intelligence and global SOC monitoring. One that authors data breach intelligence reports based on their global backbone, experienced, dedicated, global security operations team that provides value about the cost of a rapid response. Criteria selection matters. Your 6am notification is from your SOC partner, providing you with all the information you need to confidently inform your organization you are on alert but all best practice industry standards are effective and ongoing. Your company does not make the headlines, and your business partners extend further trust for you have managed and invested well.