At first blush, many of us would see this article and immediately file it away in the back of our minds as yet another example of the pervasiveness and destructive nature of ransomware. To be honest, we would not be wrong to reach that conclusion, but I want to challenge you to read a little closer this morning. There is a small ray of hope in this article that can be easily overlooked. The governor of Louisiana is declaring a state of emergency because of these ransomware attacks, but he is doing so because the state of Louisiana has a plan!
The state of Louisiana has a Cybersecurity Commission and a well defined, properly tested and well funded incident response plan. They are prepared to respond to and address these ransomware outbreaks. Resources from state police, the Governor’s office of Homeland Security and the Louisiana National Guard are being coordinated and rallied to the cause of mitigating these attacks. That fact is both noteworthy and exciting. Preparation and proper incident response is an absolutely vital component to any cybersecurity program. Far too often, organizations find themselves shocked, flat footed and lost when ransomware strikes. But not in the Bayou state. Kudos to Louisiana for having a plan!
This is very sound advice. Think about bookmarking this list or printing it off and having it handy in the event of malware or a social media intrusion.
This is very sound advice and each organization should connect with and come to know those in Law Enforcement tasked with keeping them safe and helping them respond to an emergency or breach.
Though I agree in principle that ransomware is not a breach in the strictest sense of the word, I would say there is tremendous value in adding the reactive weight of a breach in how we perceive and respond to a ransomware incident. Incident is the correct word to use in this situation. Ransomware is a significant security incident and should be treated as such. Unfortunately, many of us lock into the “Confidentiality” component of IT Security and only react when data is accessed or exposed. “Availability” is still a very important leg of the IT security triad and deserves significant consideration.
This is great information to review and tuck away in your incident response planning book. Also, take the time to educate your users on these types of reporting guidelines.
This is some sound incident response content from the team at Cisco. These infographics are a good starting point for organizations new to the incident response program process.
This is a fantastic article detailing the costs of incident response and sheds a strong light on the value of early detection and remediation. I certainly recommend this read and that every CIO/CFO/CSO save and tuck away this formula for future use. Every tool you can bring to bear on the omnipresent internal ROI debate is worthwhile.
This is both some valuable statistical data to tuck away when preparing for a debate around preparedness as well as a nice outline of to-do’s from an incident response perspective.
This content is particularly true in the context of SIEM and overall log retention and correlation. The decision making process around incident response is multifaceted and is something all organizations should actively consider, plan around, and practice.
I really like this article for a variety of reasons, but first and foremost, it sheds light on the constant definitional battle of what the term “SIEM” does and does not mean. SIEM really does mean different things to different people and no one is completely right or wrong in their definition. The concept of a “Real-time SIEM” is particularly intriguing. At the end of the day, the value of log collection and correlation is in the potentially actionable data it provides. Every SIEM user must determine how they review and alert on that data and how frequently they can absorb it. This is where the automated concept of real-time comes into play.
Automated functionality can certainly send up the necessary flares to alert IT in the event of an incident or attack. The key is having the right people watching for the flares and prepared to take action. Continuous monitoring should be every security practitioner’s goal but with that must come appropriate incident response and procedural management.