How you respond to a cyber security incident determines the final outcome.
7Safe’s show stand at IP EXPO 2016 (5-6 October, Excel London) attracted serious levels of interest from IT managers in Cyber Security Incident Response services. Although the subject of what to do in the event of a cyber incident was on the IT department’s agenda this time last year, there has been a sharp rise in demand for expert help and cyber skills training. This increase perhaps reflects the number and severity of cyber-attacks in 2016 combined with the shortage of cyber security skills which we reported on in this blog (UK CIOs: Skills Gap is Cyber Risk, July 2016).
The sad truth is, there are simply not enough ethical hackers, forensic analysts and other cyber security professionals to go round, so IT departments are looking to outsource. At the same time, the difficulty of filling positions in the emerging Security Operations Centres is causing concern in many organisations, given the shortage of candidates.
This fact was not lost on IT managers at this annual event. As Dave Grove of 7Safe’s cyber security lead noted: “The growth in demand for cyber training programmes took us by surprise at IP EXPO and we had to arrange for further 300 copies of our Cyber Development Training Prospectus to be shipped overnight. Talks in the nearby Cyber Hack theatre drew crowds that then queued to strip our literature stands bare as attendees responded to the market need for trained security personnel.”
A small reflection of this growing demand for training programmes was the quantity of our 2016 Cyber Development Training Prospectus that we gave out on the stand. By the end of day one, we were forced to arrange an overnight courier to ship a further 300 copies to IP EXPO. At one point, we had a queue literally three deep around our literature racks following a talk in the nearby Cyber Hack event space. Needless to say, we did not anticipate this heavy trading in training course places which we attribute to a ‘Perfect Storm’ in the market need for trained security personnel.
CREST Model the preferred approach to CSIR
Just as our Training Department experienced an unusually high level of questions about the best type of training for incident responders, our CSIR Service team soon found themselves collecting a pile of work to process after the show closed its doors.
What the 7Safe experts noted from discussions at the event was that the CREST-certified 3-Phase model for CSIR has started to define the private sector industry approach. CREST-certified cyber incident responders provide advanced technical skills capabilities are required to enable your organisation to:
1. Identify the cyber security incident
2. Define objectives and investigate the situation
3. Take appropriate action in a timely manner
4. Recover systems, data and connectivity.
By hiring CSIR expert consultants, you will rapidly be in a position to identify if a cyber incident has taken place and if so, what the cyber security incident type is. This will then help to determine an appropriate response and subsequent actions, drawing on the trained resources of your IT staff supported by the service provider.
Cyber security incident types discussed at IP EXPO 2016 included the following:
- Distributed Denial of Service (DDoS)
- Hacking/Un-authorised access
- Data loss
Ransomware threat is said to be rampant!
Ransomware in particular has caused IT managers serious headaches this year, with widespread disruption due to downtime in which systems have to be cleaned of malware and backups restored. Data loss due to the failure or ‘non availability’ of backups has also caused red faces in IT circles so it is hardly surprising that there is a strong emphasis now on finding the right CSIR services to have on hand during and after an attack. And also a growing realisation that software alone will not work. Up-skilling first responders to help limit the potential damage done and developing forensic capabilities to deal with the aftermath are proving to be popular discussions.
Knowing if, and when, you are under attack
Cyber security incidents usually begin with one or more of the following indicators:
- Alerts from technical monitoring systems such as anti-virus software, intrusion detection systems (IDS), data loss prevention (DLP), security information and event management (SIREM) systems, log analysers, etc.
- Reports of suspicious events made to the IT help desk by users, third party reports, or directly to the security team by the police, industry bodies, your vendor partners, or the government.
- Anomalies detected by audits, investigations or views. Note: this includes financial audits that show withdrawals that are traceable to fraudulent activity.
The experiences of IT managers and CISOs related to 7Safe at IP EXPO show that the number of security incidents detected as a result of system monitoring was low. As Verizon reported in its 2016 Verizon Data Breach Investigations Report, IT staff continue to struggle with detection and response. Indeed, internal breach discovery detected fewer incidents than did fraud detection, third parties, and law enforcement. Further evidence that suggests the need for detection and threat identification skills.
In fact, Cyber Threat Hunting was seen by many who visited the 7Safe stand as being a service offering that they would like to evaluate, as it seems that proactively searching for threats using human resources is preferable to relying on AV scanning, SIEM or other monitoring and detection systems, as the threat itself is often elusive.
Perhaps the key lesson from IP EXPO is simply: find a CSIR supplier you can trust, or build your own cyber security capability through an effective training programme, before you find that you are experiencing an attack that could cost your reputation!
# # #
Looking at setting up your own professional Cyber Security Incident Response plan and resourcing a SOC to ensure that you are ready when the time comes?
Call our advisors on and arrange to meet a 7Safe Consultant::
+44 (0)870 600 1667
Are you planning to recruit more cyber skilled candidates? Or perhaps looking to retain more of your existing cyber security team in 2017? You can talk to our expert consultants in complete confidence and find out about the services 7Safe and PA Consulting can offer to help you succeed. We have many more CREST and IISP-accredited training courses in the cyber field than our competitors and a long track record of delivering world-class training for fundamentals, core and specialist needs.
Visit: https://www.7safe.com/professional-development to learn about 7Safe training.
Want to talk to an expert about training your staff to improve your cyber capabilities?