Security Staff Acquisition & Development, Leadership

Plan to Think and Think to Plan: Avoiding Quick Decisions in Information Security

By Marcos Colon

The WannaCry ransomware worm recently wreaked havoc for businesses across industries, causing plenty of headaches for security and risk departments, and resulting in a barrage of panic-ridden articles on what should or shouldn't be done.

If one had to place a bet, chances are Hollywood likely takes advantage of this event, produces some blockbuster flick starring Ryan Gosling, and features a montage where a room full of anxious security professionals are forced to make quick decisions as their precious data is at risk of being lost forever. This is primarily how many outside of the security industry would perceive the scene to go down – but is that really the case?

Sure, information security professionals are forced to make some tough decisions at times, but they should never put themselves in a situation where a "quick" decision is made, according to Mike Spanbauer, vice president of strategy for NSS Labs, an Austin-based security firm specializing in cybersecurity.

In a recent interview with Infosec Insider, Spanbauer shared four techniques information security professionals can use to set themselves up for success in the event of a data breach.

1. Avoid Quick Decisions

In his role, Mike spends a lot of time talking shop with security managers across industries, so he's aware of their challenges, in addition to the overabundance of different situations that could play out for security teams. While making quick decisions isn't completely out of the picture for security leaders, it can be based on any contingency plans in place -- not one plan, but multiple, depending on the multitude and significance of events.

"Having to make hard decisions under pressure is always tough, regardless of how capable the decision maker is," Spanbauer said. "Plan for the unexpected, ensure all response teams are versed in the procedures, and keep the steps up to date."

The key is to rely on incident response planning rather than on-the-fly decision making. Through diligence, discipline, and execution security managers can set themselves up for success, according to Spanbauer.

2. Plan to Think and Think to Plan

It's certainly not as easy as it may sound. With large networks containing swaths of valuable data belonging to various business functions, strategic thinking is a critical part of the process. One of the most important things to do is map the key stakeholders in the business to the response professionals, based on as many possible scenarios, Spanbauer suggests.

If one maps the organization layout out in his or her head, it may seem like a web of convoluted plots, but it will go a long way once the inevitable panic lever is pulled. This preparation takes a lot of work, but it's an exercise that's well worth the time.

"The planning and thinking exercise will identify weaknesses or gap – which, even in the event the organization chooses not to staff, can be handled according to a plan should the need materialize," Spanbauer says.

3. Expect the Unexpected

As the wise Mrs. Gump once said, "Life is like a box of chocolates, you never know what you're gonna' get." Replace "Life is" with "Data security events are" and many would agree that's the case.

Perhaps one of the best ways to avoid making quick decisions is to expect the unexpected. Undoubtedly situations that can't be anticipated will arise, and that's when many infosec pros go into "responder mode," as Spanbauer says. Regardless of the situation, it's important to train yourself and your staff to not panic.

"Much like first responders to safety events, the security team must get its 'game face' on and not panic, instead quickly and orderly process the data or material before them so that the best 'quick decision' can be made and executed," he said.

Just as important, the team must stay on its toes and not lose focus. Sure, an alert may be going in one direction, but it's key to avoid distractions and be aware of "secondary attacks."

"A common method bad actors use to exfiltrate is to create a cover or primary event, while the real intent occurs as a secondary incident too quiet to notice," Spanbauer cautioned.

4. Stick with the Facts

If there's one quick decision that security professionals should be prepared to make, it's committing resources to an incident, such as calling outside help. This is an area where a lot of mistakes are made, according to Spanbauer. Waiting too long to react could prove costly, so the security team must be prepared to act decisively.

"Stick with the facts and carefully document all material evidence to assist in the post-incident investigation," he said. "All data is valuable data, and acting quickly before logs purge can preserve key material that could prove invaluable, which if lost makes the incident very difficult to resolve."

Sticking to the facts is the science of security, but effective security is also an art form, especially when it comes to dealing with the adversary. The best way to combat threat actors that are often not linear thinkers is to stay away from predictable response paths that give them the edge.

"There is no black and white in this industry, but the best security practitioners know where that balance of instinct versus data becomes an incident or a false alert," says Spanbauer.

Like the mentality that many start-up tech companies share, Spanbauer suggests infosec professionals be prepared to fail fast, learn from mistakes, but develop and hone the capabilities of the organization. While not to be embraced, or expected, the idea of failure should be seen as an opportunity to learn about processes and technology, make proper adjustments, and become more resilient.

"If you're in security long enough, something will happen, and in those moments following the incident and how it is handled define an organization," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.