In episode 57 of The Cyber5, we are joined by Colby Clark, Director for Cyber Threat Management. He’s also the author of the recently published book, The Cyber Security Incident Management Master’s Guide.

We baseline incident response playbooks around customer environment, threat, landscape, regulatory environment, and security controls. Afterward, we discuss how incident response (IR) playbooks have evolved in the last five years and they have scaled in the cloud. We discuss telemetry that is critical to ensure an IR team can say with confidence that an incident is accurate, complete and truthful in order to avoid breaches. Lastly, we discuss the criticality of threat intelligence in the IR process and what boards really care about during an incident. 

Four Topics Covered in this Episode:

1. The Shift in Incident Response Playbooks

Playbooks used to be contact lists, and an outline of roles and responsibilities of who to call during a cybersecurity incident. It was typically based on recovery from natural disasters. Today, threat -based playbooks are more specific and actionable tailored to the enterprise environments that were based on compliance and insurance requirements. 

In Clark’s book, in his execution with clients, 13 distinct domains are relevant for baselining these playbooks; including customer environment, threat landscape, regulatory environment, and security controls. Most importantly, incident management is a repeatable process over a period time that adapts to regulators. Enterprise solution tooling is always behind the tooling of the attackers, and therefore, gap analysis within IR playbooks is a constant job for any IR team.

1. The Need for Consolidating Cybersecurity Solution Tools

• Security practitioners sometimes struggle with knowing the business functionality of applications and systems within enterprise networks, which makes identifying what is normal or malicious challenging.
• If security technology is not tuned with consideration for the people and process involved, the tooling is useless. 
• Network encryption pervasiveness is making network traffic analysis tools increasingly irrelevant; all important telemetry, to reduce visibility gaps, is moving to the endpoint (devices, servers). Realizing big companies cannot have endpoint detection and response agents (EDR solutions) on every endpoint, means some network traffic capture is still important to track. 

1. Incident Response Migration and Evolution to the Cloud

• Tooling: In 2014, EDR tools started to be developed that took over anti-virus software and since then has detected 80% of breaches. EDR, and now XDR (Extended Detection and Response), solutions that operate in the cloud (AWS, GCP, Azure) are the only means to quickly detect and recover from cyber incidents, especially with a distributed workforce. 
• Protecting Environment: Customer applications that run on cloud servers (production and non-production) bring tremendous frustration for incident response efforts. They do not have on-par visibility to their physical counterparts, particularly with containers. They have reduced controls and limited investigative capabilities, allowing malicious backdoors into environments. 
• Important Strategies: First, maintain, update, and patch baseline images for containers. Second, turn on logging; nothing is logged in cloud environments by default. Companies have to pay extra money to turn on logging and pay additional licensing fees for security tools (cloud trail logging for AWS, for example). Third, turn on network decryption at the right points. Last, keep maintenance of EDR tooling.

1. The Importance of Threat Intelligence in Cloud Security

• Threat intelligence should be built into EDR logging by default and will likely be part of the XDR paradigm in the future.
• A deep dive RFI (request for information) capability must also be included to ascertain if the intelligence is directly relevant to the organization or just an industry trend.