You’d think flipping burgers is about as far from cybersecurity as you can possibly get. But when you’re in charge of risk and compliance for a chain of over 500 burger places across the North American continent, you take governance, risk and compliance very seriously. Merlin Namuth is in charge of all that for Red Robin Burgers. I spoke with him at the recent RSA Conference held in Singapore.
Namuth’s presentation at RSA Conference focussed on incident response and going further than detecting an alert and re-imaging a machine. He wanted to help the audience focus on everything that went on around that incident and not just the attack and quick remediation.
I asked Namuth what the key elements of incident response were in his view.
“Some of the key things are making sure you understand the scope and breadth of the incident. Often, people see a system that’s compromised and reimage it but miss that there five other systems are compromised the same way”.
For example, Namuth says that if a system shows some PSExec activity on a machine then you should look for similar activity across the network. And that might even lead to investigating how PSExec even entered a machine.
“Did it enter with a phishing email? Who else got that email,” he said.
The approach Namuth advocated involved identifying the data pertaining to an attack and then pivoting from that to look for similar or related activity elsewhere on the network.
It’s this extended investigation that is often missed says Namuth, and drove him to create a workshop on investigating attacks and responding in this way.
Part of the challenge, he said, is that many security practitioners are highly skilled in various elements of information security but few are experts in incident response. As a result, many organisations struggle to respond to incidents in a way that protects them in the long term.
“To do incident response takes quite a bit of time and many people don’t have that time”.
So, what are the core skills that make great incident responders? Namuth says they need to be inquisitive and look beyond the first alert.
“They’re trying to find the different puzzle pieces. Incident response is about finding the puzzle pieces and putting them together to determine the scope of events. They keep digging and digging until everything makes sense about an incident”.
When an incident takes place, Namuth says there is often pressure to work the incident quickly and figure out what happened and how to contain it so the company can get back to business as usual. This can lead to businesses rushing to get back to work without addressing root causes.
“Sometimes root causes can take months to fix. They might require the replacement of an entire IT system,” said Namuth. “And to fix problems in the long term takes time and lots of money”.
As the leader of a security team, Namuth says there can be some political challenges. Sometimes, restoring a system to an operational state might need to be delayed while the response team makes a complete asssement of the scope and breadth of an incident.
That involves putting things in factual terms where the impact of different incident resolution processes need to be assessed. For example, a company might choose to remain offline for an extra 30 minutes in order to ensure the vulnerability that lead to an attack is properly remediated rather than rushing back but remaining at risk.
“You can’t be saying the sky is falling. Be factual and lay it all out. The board or executive might rule against you but make sure everyone is aware of the risks”.
Namuth also noted the importance of documenting management decisions that are contrary to your advice.
Incident response is evolving, says Namuth. As we move from targeted incidents that focus on a specific target, we are now faced with large-scale cyber events such as WannaCry and NotPetya, he says it is important to take the time to understand incidents.
“It drives home the need to take your time even more with an incident. Really understand how it happened and mitigate so it doesn’t happen again”.
The nature of attacks is also changing. With FireEye recently identifying in-memory attacks that exploit trusted processes for nefarious purposes, it becomes harder to detect and respond to incidents. This makes the job of incident responders more difficult as they are not only looking for known bad processes but good processes executing bad outcomes.