Learning from Equifax: Why Businesses Must Rehearse Their Incident Response Plans

This month the Congressional Committee on Oversight and Government Reform published their report on Equifax’s massive breach that impacted 148 million consumers. We should probably learn from the report. Your security team most likely has a great idea of how to respond to the majority of incidents across the organization since they respond to an assortment of common incidents daily. But more broadly, how does an organization verify that its structure, policies, and technical controls support appropriate responses? The answer is to rehearse incident response.

Why should I spend the time and money rehearsing?

There is a strong business case for rehearsing. Rehearsals help identify gaps in policy, reporting chains, decision authority, vendor services, and technical implementations. Gap identification drives gap reduction. For example, rehearsing a lost CXO mobile device (it fell out of their pocket at the circus!) shows that while the company has a properly implemented mobile device management service (MDM) they have not reached nominal device enrollment in the program. In this scenario, the company’s risk exposure is further increased as proprietary data is stored on the device and/or the device can access the information. Because the company identified the issue in a rehearsal, they can mitigate the gap! This particular implementation might be both a policy issue and a technical implementation with priority on the technical implementation. Policy drives human responsibility but humans can be fickle thus technical implementation provides the foundation here.

Further, CXOs can consider rehearsal expenditures further as relatively cheap insurance. The more risk a company is able to mitigate the less it needs to transfer. As the organization builds a culture of security, incidents tend to go down. Usually. As security rehearsals become part of the bedrock of culture, exposure between the security team and the rest of the organization builds one of the most important elements to incident response: trust. Trust opens the communication floodgates which, while ultimately driving a positive culture, drive response time down significantly. Faster response times mean less overall exposure following an incident and help prevent holding the bottom line at risk.

You sold me. How do I rehearse incident response?

Now that we have identified why rehearsals are a legitimate need, let’s begin addressing how to meet that need. What to rehearse comes later! The first step is to build a framework. An organization should identify appropriate stakeholders and then define different rehearsal levels accordingly. The most granular level within the framework is within the security team itself and should include incident response actions that cover the full spectrum of cyber security defense. This includes an assortment of incidents that begin with incident identification/notification and end with a fully realized response that includes reporting.

Second, the organization should conduct similar but slightly more abbreviated rehearsals including all the company’s information and infrastructure stakeholders. This potentially includes cloud developers, local data center operators, and other assorted administrators. These rehearsals bridge the gap between operator/maintainers and protectors as many organizations split out security capabilities under different functional areas separate from infrastructure.

The third level is a summarized organization rehearsal including the previous stakeholders and organization leadership plus legal support. This third level is arguably the most important rehearsal level because it yields more than just trust but also commitment from leadership and major supporting functions. Additionally, the third level is crucial because it helps identify friction points and gaps across organizational functions. In Equifax’s case, the Committee found that Equifax’s security response function was dramatically limited by how the company self-organized. This organization curtailed the CSO’s authority and ability to affect change and ultimately precipitated a massive breach. These rehearsals do not necessarily need to be dramatically in depth nor require significant time commitment. They should, however, be protected, focused time slots that allow for candid communication. For style points, I recommend taking notes on identified issues, working those issues in a separate breakout session, and then submitting any proposed organizational or policy changes for approval within a very short time horizon after while you still have momentum.

The fourth level of incident response rehearsals should be a whole-of-organization approach. This is the final level of rehearsal and one that brings everyone on board to exercise the process throughout all levels. An organization has quite a lot of leeway on how to implement rehearsals at this level (and retain the metrics on response!) but one possible approach is to cue an incident at a random level of a random business function and then follow actions taken throughout the organization and reporting chains. While the rehearsal can start at any level, the focus of the rehearsal is less on the individuals involved early on and more on how reporting flows. This final stage exercises response across the entire chain and key stakeholders such as the security team, the infrastructure team, and legal should follow or act accordingly.

Following each rehearsal, no matter the level, the rehearsal leaders should capture lessons learned and report applicable lessons to stakeholders in the appropriate manner. For example, the entire company does not need an announcement that the infrastructure team implemented a new technical control but the entire company might need to know about a major policy change that resulted from the rehearsal.

Rehearsals take work. However, they will pay dividends within an organization’s culture every day and especially when responding to an incident. Carve out the time and resources to make them happen. That’s why they hired you, right?