The Importance of a Security Response Process
The following is a guest post from Mark-David McLaughlin, Ph.D., Director of Security and Risk Management at Acuity Brands, Inc. Acuity is a major supplier of LED, smart lighting, and IoT based systems for smart cities. In his role as Director of Security and Risk Management at Acuity Brands Lighting, Dr. McLaughlin helps ensure security practices are an integral part of the company’s IoT offerings.
Successful endeavors are rarely the result of one person’s effort, instead, they are often achieved through the combined efforts of a highly effective team.
As digitization enables the connection of more and more IoT systems, hackers have turned their attention into these spaces. Data breaches often follow as these criminals succeed in their war to compromise the integrity of interconnected systems. Governments and industry have responded by creating a variety of security frameworks compliance with which is designed to thwart those attacks.
Major companies and end users are preparing for the unknown by tapping into the expertise of an army of industry experts and professionals whose aim is to ensure the security of connected, IoT systems. One critical component of a prevention program is the response process.
In a previous blog, I examined how the activities of an organization fit into a framework that aims to Prevent, Prepare, Detect, Respond and Learn (PPDRL) from security events. This article further examines how the Product Security Incident Response Team (PSIRT) processes achieve more than effective responses, they also help prevent and detect security events. Figure 1 shows an example of a typical PSIRT process.
A Product Security Response Process
Accurate information is power. It can help win wars on the battlefield or in business as applied from The Art of War by Sun Tzu. Taking best practices from other PSIRT organizations and combining the PPDRL frameworks, the ‘Art of War’ for security professionals, organizations should take specific steps into their efforts to reinforce our security posture. When these efforts are coupled with a company’s industry experience, it provides the foundation for a unique and highly effective IoT security model, often referred to as a product security incident response process.
Steps in a Model Response Process
When a security incident is detected, the following response steps are launched:
A response process embeds awareness, triage, analysis, coordination, remediation, notification and feedback into an entire digital ecosystem. Awareness focuses on ensuring code integrity throughout the Software Development Lifecycle (SDLC) process. Triage, Analysis, and Coordination involves the process of working with established stakeholders (similar to a security army) to identify, isolate and neutralize intrusions at the earliest possible stage. The goal is to provide critical and accurate information to not only a business but also to the customers and colleagues to help ensure all systems are protected. Remediation is the action of generating and distributing fixes through the notification of all stakeholders. Feedback applies lessons learned from each incident to evolving security practices. An effective security process should be established to help prevent any impacts on customers and to fight the war against cybercrime and cybercriminals. I will leave it to the historians to debate Sun Tzu but follow in the footsteps of those before me by utilizing the wisdom from the two-thousand-year-old book.
How this Process Prepares for Security Incidents
A response process establishes the roles and responsibilities required within our organization to proactively manage vulnerabilities by coordinating activities and communication between internal and external stakeholders. Key tasks include:
• Creating a system to track vulnerabilities and report response metrics
• Defining policies and procedures critical to vulnerability management
• Establishing communication channels between key team members
• Testing and hardening systems against known vulnerabilities
• Creating logging systems to track anomalies
• Creating an Incident Response playbook
External organizations such as the Forum of Incident Response and Security Teams (FIRST), the Industry Consortium for Advancement of Security on the Internet (ICASI), and Information Sharing and Analysis Centers (ISACs) help incident response teams establish trusted relationships with their peers in the industry. A company should maintain active relationships with these and other industry security organizations to stay maintain and establish best practices, but also lead in the development of stronger security.
Design to Detect Security Incidents Early
As hackers have become increasingly sophisticated, significant time may pass before an incident response team becomes aware of an intrusion, a phenomenon known as “dwell time.” Perhaps the most critical component of an effective PSIRT program and response plan, in particular, is its ability to identify security issues in their earliest stages. Making sure that there is an effective process to work with development teams, customers, and security researchers is an essential component of resolving security issues quickly and efficiently. The plan does this by aligning the interests of internal and external stakeholders, for the purpose of increasing the security posture of customers that have deployed a connected service offering.
A product security incident response process is uniquely positioned to secure a company’s products and services. I present this model to other organizations – which may wish to adopt the methodology in their own security efforts and join in the effort. It is vital that industry vendors focus on maturing their incident response practices. This makes the entire IoT ecosphere stronger, a Sun Tzu effort to protect our end-to-end systems.