The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.

In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.

Cyber vigilance program

The Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations for emerging cyber threats by offering a blueprint for cybersecurity strategies.

High alert and incident monitoring

The French Cybersecurity Agency (ANSSI) was on high alert throughout the Olympics, monitoring for attacks that could disrupt critical operations like organizing committees, ticketing, venues and transport.

Extensive use of AI

The Paris Olympics used AI to secure critical information systems, protect sensitive data and raise awareness within the Games ecosystem. Additionally, under France’s Olympics and Paralympics Games Law, a pilot program allowed the use of “algorithmic video surveillance.” Because of Europe’s strong privacy laws, the surveillance did not allow the use of biometric identification or automated data matching. Instead, AI scanned video for scenarios, such as abandoned bags, the presence of weapons, unusual crowd movements and fires.

Collaboration and training

French authorities collaborated with international organizations and conducted extensive training for cybersecurity teams. They focused on understanding threat actor tactics and employed frameworks like MITRE ATT&CK to anticipate and mitigate potential attacks.

Despite the precautions, the Grand Palais, a venue hosting Olympic events, was hit by a ransomware attack. French authorities quickly responded with containment measures, showcasing their preparedness to handle such incidents.

How did the Olympic cybersecurity measures hold up?

Sifting through available facts in the aftermath, the reality of the threats is becoming clearer.

French authorities announced that more than 140 cyberattacks struck the games, but did not disrupt events. ANSSI detected 119 “low-impact” “security events” and 22 incidents where malicious actors successfully gained access to information systems between July 26 and August 11, 2024. Many of these caused system downtime, often through denial-of-service (DoS) attacks.

Other attempted cyberattacks were aimed at Paris, but not directly at the Olympic venue infrastructure. For example, the Grand Palais and some 40 other museums in France were targeted by a ransomware attack in early August, which was thwarted due to rapid response.

Thwarting a wide swath of potential threats

Authorities had to battle not only attacks coming through the global internet but also local threats. The Olympic Games is unique in that it attracts government officials from France and all over the world, then places them in close proximity to large numbers of unvetted international visitors. Spies and data thieves no doubt saw this as a rare opportunity to steal confidential data of high monetary and geopolitical value. A range of techniques enables this kind of data theft, including Wi-Fi hotspot man-in-the-middle attacks and theft of physical devices.

Well before the games, Olympic organizers battled with ticket scams. Researchers at threat intelligence provider QuoIntelligence found that fraudulent websites were selling fake tickets to the Olympics, mainly to Russians unable to buy legitimate tickets because of European sanctions imposed because of Russia’s invasion of Ukraine. Organizers identified 77 fake ticket resale sites.

One of the most prominent threats was the spread of disinformation. Russian groups, such as Storm-1679, widely believed to be a spinoff of Russia’s Internet Research Agency “troll farm,” had been using AI-generated content to create fake news and images, aiming to discredit the International Olympic Committee and instill fear among potential attendees. These campaigns often involve fabricated stories about terrorism and other threats, leveraging AI to enhance their credibility and reach.

In the end, despite enormous efforts by malicious actors, state-sponsored attackers and others, the Games succeeded without major disruption, violence or data theft.

The post How Paris Olympic authorities battled cyberattacks, and won gold appeared first on Security Intelligence.

Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis.

When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath.

In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). But because the wheels of government move slowly, it is just now in 2024 that the Cybersecurity and Infrastructure Security Agency (CISA), the agency tasked with overseeing CIRCIA, is completing the mandatory rule requirements so the law can go into effect. On April 4, CISA published a Notice of Proposed Rulemaking (NPRM), which was open for public comment until July 3, with the final rules and regulations coming no later than October 2025.

The goal of CIRCIA is to change the way entities across the critical infrastructure communicate during a cyber crisis and improve overall cyber readiness.

The 72-hour rule

CISA has designated 16 industries as critical infrastructure, which can be found here in detail. However, under CIRCIA, only 13 of the sectors will be required to follow the reporting guidelines (as of this writing, Commercial Facilities, Dams and Food and Agriculture sectors are exempted, but of course, this could change).

Under the new crisis communication guidelines, any business operating under the umbrella of one of the 13 critical infrastructure sectors, including small and mid-sized businesses, will be required to report the cyber incident to CISA within 72 hours of occurrence. Any federal agency receiving a report about a covered cyber incident will have 24 hours to share the report with CISA.

The guidelines also establish an intergovernmental Cyber Incident Reporting Council that will coordinate, deconflict and harmonize federal incident reporting requirements.

CIRCIA’s additional ransomware guidelines

Because ransomware is among the most prevalent types of attacks on critical infrastructure, CIRCIA added guidelines to help these organizations better defend themselves against ransomware attacks. They include:

• Any organization making a ransomware payment after an attack must report it to CISA within 24 hours. CISA will share this report with other federal agencies.
• Through the Ransomware Vulnerability Warning Pilot (RVWP) program, CISA authorizes authorities and technologies to identify systems with vulnerabilities that could lead to ransomware and alert them in a timely manner to fix the systems before an attack.

Criteria for a covered cyber incident

In addition to its reporting requirements, CIRCIA and CISA outline specific criteria on what is considered a covered cyber incident. If an incident meets these criteria, it must be reported:

• An incident that results in substantial loss of confidentiality, integrity or availability within systems, or there is a serious impact on resiliency or safety of operations
• An incident that disrupts business or industrial operations. This includes DoS attacks, ransomware and zero-day attacks
• An incident that creates unauthorized access or disruption of business operations through loss of services from a third-party provider

How to prepare for CIRCIA

Even though full implementation of CIRCIA is a year away and could see changes during that time, organizations can begin to take steps to prepare for the time when they will need to report a covered incident.

It starts with learning if your organization falls under the covered sectors, and if so, familiarize yourself with the reporting guidelines.

This would be a good time to review the organization’s cybersecurity policy and implement recommendations from the NIST Cybersecurity Framework 2.0, NIST Software Supply Chain Security framework and other government cybersecurity guidance available.

The incident response team should be fully trained on the CIRCIA requirements, right along with the pre-existing incident response plan, and conduct practice runs. Incident response protocols may need to be updated to meet these requirements. If your organization doesn’t have an incident response team and plan, now is the time to pull one together.

CIRCIA rules won’t be mandatory until 2025 when the final rules go into effect, but it isn’t too early to start following the guidelines as a way to improve cybersecurity across your business and critical infrastructure.

The post How CIRCIA is changing crisis communication appeared first on Security Intelligence.

Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do.

When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication.

Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide on how to spin the PR team’s information. And usually, that approach is fine — until there is a crisis to be managed.

Cyber incidents present an unusual challenge to the PR team because, in this situation, they aren’t (or shouldn’t be) the lead communicators.

Cybersecurity mature companies will have an incident response team that includes decision-makers from every aspect of the organization: the CISO, legal, HR, IT, the C-suite, public relations and marketing. In a perfect world, the incident response team will have a well-rehearsed statement for the media, customers and vendors as part of a cyber incident’s aftermath.

Cybersecurity teams and PR too often not on the same page

We don’t live in a perfect world, and in the chaos following an incident, there are often a lot of disagreements between what the cybersecurity team can or wants to reveal and the actual PR approach.

Disagreements often arise from the fact that these two groups may be thinking about very different audiences when refining their messages, said Melanie Ensign, Communications Strategist, Founder and CEO of Discernible, the world’s first Communications Center of Excellence focused exclusively on security and privacy teams.

“Often what I see is that the PR team is speaking about what we say to journalists or what we put on social media or on our website,” said Ensign during a phone interview. “Then we have security teams who are thinking about their peers in the industry and don’t want to be embarrassed by any information released that could be technically inaccurate.”

Having different audiences means the two distinct groups have very different goals in their outreach. The cybersecurity team is focused on the incident itself: what caused it, how to fix it and how to keep it from happening again. The overall team goes into action to mitigate and remediate the problem as soon as possible.

The PR team’s job is to manage the damage and present a positive light in a worst-case scenario. They are the people pressured for an instant response, Ensign explained, and are expected to say things that will make customers happy and often are pushed into making it appear that everything will be fixed quickly.

This is when the disagreements happen. Both sides are doing their jobs, but cybersecurity teams think that PR teams raise expectations on solutions and the comments aren’t as detailed or technical as the cybersecurity team would like them to be. This can be confusing to customers who are seeing one set of comments from PR but are hearing something different from the cybersecurity team.

On the other hand, the cybersecurity team’s concern around a cyber incident is concentrated specifically on the incident itself. The PR team has to look at and communicate the bigger picture. Data breaches, ransomware attacks and DDoS attacks result in downtime for the organization. PR professionals are tasked to be the calming voice when a hospital is offline for hours or days at a time. They are the ones who have to balance communications around financial losses, details about compromised data and any legal issues.

Again, as Ensign pointed out, the biggest conflict between the two groups is different sets of end goals and the time frames for releasing different types of information.

Crisis management and PR’s role in supporting the cybersecurity team

PR after a cyberattack, however, isn’t normal PR; it is crisis PR. Therefore, it needs a different approach.

“Effective crisis communication requires transparency, accountability and empathy, as businesses seek to rebuild credibility and restore public confidence in the aftermath of a security breach,” wrote Evan Nierman.

This is, in part, the role of the communications members of the incident response team. To develop the skills needed to manage official corporate communications during a cybersecurity crisis, it is recommended that organizations build cyber ranges. A cyber range offers the tools and space for incident response teams to train and prepare for a crisis through exercises and simulations. In a cyber range, incident response teams can immerse themselves in realistic scenarios simulating a data breach or other cyber incident, allowing the team to learn how to manage a response and build an effective communication plan around it.

Another tool to help the PR and cybersecurity teams draft their message is the Cybersecurity and Infrastructure Security Agency’s (CISA) new regulations around reporting cyber incidents. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is required for those businesses that fall under the 16 critical infrastructure sectors, but it can also serve as a blueprint for all organizations that want to improve their crisis communications and need guidance to draft their message.

CIRCIA and cyber ranges will help any organization build its crisis communications, but perhaps the best way for PR and cybersecurity teams to stay on the same page throughout the entire emergency is simple conversations on a regular basis.

Ensign said that when she was in other jobs, part of her routine was a daily conversation with the security team. This regular interaction built a comfort level between her communications team and the cybersecurity team. And not everything that needed to be discussed was a high-pressure emergency. Sometimes, it was getting confirmation about a rumor spreading out on social media, and then if the media did call with questions, Ensign had the answer, preventing a potential negative news cycle.

But what if the PR team doesn’t have easy access to the security team?

“I think the most important thing is for the PR team to recognize that security really is not a snapshot crisis,” said Ensign. “It’s really issues management, reputation management.”

Staying united against the constant threat of cyber crises

There will always be cyber incidents, some minor, some major. The PR team has to focus on handling it in the public sphere. At the same time, the cybersecurity team needs to be vocal about their concerns. A message that makes the security team look weak could impact not only the company’s reputation but also hinder the recruitment and hiring of future security professionals.

“If PR teams are not well experienced in managing security incidents, they’re not automatically going to be thinking about things like a technical timeline or remediation steps,” said Ensign.

Yet, someone needs to be advising customers and the sales team on what to expect. “I think,” said Ensign, “that both teams could do a better job.”

Stay tuned for our next article in this series, How CIRCIA is changing crisis communication.

The post PR vs cybersecurity teams: Handling disagreements in a crisis appeared first on Security Intelligence.

Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication.

Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future success and revenue. However, effective crisis communication helps increase customer trust in your business’s ability to recover and manage the issue. By preparing for crisis communication before an incident and then following a solid plan, you can steer your organization through the storm.

How to plan your cybersecurity crisis communication

Successful crisis communication begins well before any cybersecurity incident begins. Some companies include cybersecurity crisis communication as part of their overall disaster recovery plan, while other businesses have a standalone plan.

Melanie Ensign is the founder and CEO of Discernible, a multi-disciplinary Communications Center of Excellence for security, privacy and risk teams. Ensign says that many companies sleep on security until something goes wrong and then they are trying to earn the benefit of the doubt in an unfavorable environment.

“When I work with clients, I ask them if something were to happen tomorrow, what would you want to be able to say? What do you wish was true, that you would be able to say in response to this incident?” says Ensign. “They tell me how they want to show up as a company, what values and characteristics they want to express. We then work to make all of those things true because if it’s not true, we can’t say it.”

Here are three keys to building the foundation needed to successfully manage a crisis.

1. Create a crisis communication committee

Have a team of employees responsible for collaborating across the organization and managing all communications when an attack occurs. This ensures that communication does not fall through the cracks and reduces the spread of misinformation. Create a team that includes members across the organization involved in cyber response, such as legal, cybersecurity, general management and PR.

2. Create a crisis communication plan

After the committee is assembled, one of the first priorities is to detail all tasks and determine who the responsible party will be for all communication after a cybersecurity incident. Ensign says it’s important to get all key executive decision-makers to agree in advance, or they are likely to make up their own plan once they feel uncomfortable during the incident. She also says a plan is essential to provide a playbook if a key decision maker is unavailable during an attack, then another leader can easily fill in.

Because cyberattacks can involve many different schemes, from ransomware to data breaches, the plan should identify as many scenarios as possible and then detail an appropriate draft for each of them. The plan should also include communication points with other departments as well as the channels used, including email, website and social media.

“You need to be able to demonstrate to regulators that you had a plan and that you followed it. Sometimes, you may need to deviate from the plan. We learn things through incidents where we need to tweak our plan because this wasn’t exactly what we needed it to be and a plan helps justify all of those deviations,” says Ensign.

3. Conduct breach simulations for the entire team

While many organizations rehearse cyber response with the technical team, you should also include crisis communication as part of the simulation. Because a real attack is very stressful for everyone in the organization as well as outside stakeholders, practicing the response reduces tension, anxiety and potential errors.

What to do during a cybersecurity crisis

Once a cybersecurity attack is identified, it’s time to put your crisis communication plan into action. Because real situations often vary from plans and emotions are high, it’s vital to keep the following in mind throughout each step.

1. Communicate quickly and with as much transparency as possible

The quicker you communicate, the fewer rumors and less speculation will appear. As soon as you have basic information about the attack and the impact, share an initial statement that clearly explains what happened and any changes to business processes. If the attack was due to a mistake by an employee or the company, take responsibility. Explain how the company will communicate updates, such as through social media or a dedicated webpage, as well as a timeline for future updates. The first communication should also include any steps that people potentially affected should take, such as changing passwords or monitoring their accounts.

2. Set up a process for consumers to get additional information

Let affected customers know how to get additional information for their specific situation, such as a phone hotline or dedicated email. Make sure these channels are continuously monitored and that questions are responded to quickly. After the recent Change Healthcare breach, the company set up a dedicated website for information that also included a phone hotline.

3. Update communication regularly

Because a cyberattack is an evolving situation, you can rebuild trust by keeping in regular contact with all affected parties. By providing updates, you let customers know that you are taking the situation seriously and are taking action. Change Healthcare created a detailed webpage that provided the status of all business functions as well as the expected restoration date of each, which was updated daily during the height of the recovery.

“Your customers and people impacted by the incident are going to care about it far longer than the media,” says Ensign. “Just because it’s not in the media anymore doesn’t mean that it’s not important to continue communication.

4. Share how the organization will reduce risk in the future

After the SolarWinds attack, the company brought in Alex Stamos, former Facebook and Yahoo security chief and current professor at Stanford University, and Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA), as independent consultants for SolarWinds’ recovery, which improved confidence in the organization’s future cybersecurity. SolarWinds also made significant changes in its security layers to reduce future risk, which they communicated to the public.

Have a communication plan in place

A cyberattack contains many unknowns and is a complex situation. By having a solid plan ready and a team to manage the communications, you can easily make changes based on the specific situation. With effective crisis communication, your company can get to the other side of a cyberattack with even more trust from your customers based on your response and communication.

“It’s important to have all communication plans, programs, assets, material, relationships in place before something happens,” says Ensign. “When that day comes, because we all know that day is coming, you have all of those things at your disposal and you can actually show up the way that you want to.”

Now that we have discussed what TO do regarding communication in a crisis, check out our next story in this series, Crisis communication: What NOT to do.

The post Cybersecurity crisis communication: What to do appeared first on Security Intelligence.

In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.

Amid all this commotion, hackers and other cybercriminals are hardly standing idly by. They’re looking into using gen AI for doing everything from improving the grammar of phishing messages to exploring ways of faking video and audio to trick or extort money from victims.  They’re also looking for ways to attack the very AI models that businesses are busy investing in.

If you’re a CISO, or any security professional, the time to begin evaluating gen AI is now. In a recent white paper, IBM’s chief technology officer for security software, Sridhar Muppidi, outlined five key recommendations for evaluating gen AI’s use in defending against cyberattacks. Here’s a quick look at a few of those recommendations.

Use gen AI in threat hunting and response

As attackers increase their use of gen AI, Muppidi notes that their attacks will become pervasive, evasive, and adaptive. Security teams will need to adapt by using this technology for their own advantage. AI and machine learning can already make security teams more efficient.

For example, AI-powered security information and event management (SIEM) solutions can help analysts prioritize risks detected. They help minimize analysts’ focus on false positives and allow them to instead concentrate on the critical threats at hand. Gen AI-enabled solutions will do much more, including accelerating threat hunting through natural language searches, generating threat detection and response playbooks, and empowering analysts with natural language chatbots. All of these AI-driven solutions can alleviate human bottlenecks and make security far more efficient—responding faster and doing more with less.

Evaluate gen AI based on the time it saves defenders

CISOs and their teams can expect to be bombarded with a lot of product offers from security providers in the next year or two, all touting the advantages of their particular AI-powered technology. How do you sort through all these product descriptions and demos to zero in on what’s going to make the biggest impact for your Security Operations Center (SOC)?

We recommend focusing on time savings. Time is critical in every SOC. SOCs are famously understaffed. Analysts feel overworked and often frustrated. Anything that saves analysts time—whether it’s time spent manually investigating incidents, identifying false positives or writing incident reports—is worth moving to the top of your priority list.

Challenge gen AI providers on trust

When evaluating gen AI products, one aspect that is often not given enough attention is trust. Do you trust the provider selling you this cybersecurity solution? Does the provider have a framework for securing its AI data, model, and usage? Among the questions you should ask the provider:

• What data was your model trained on?
• How representative is that data of the data my SOC works with every day?
• Can I evaluate it in my own environment to see how it performs before I adopt it?

As impressive as gen AI products seem today, and as presence permeates nearly every topic of conversation, this technology is still in its infancy—especially in the field of cybersecurity. New models and techniques are being announced every month. For that reason, it’s crucial you ask the provider about their own product goals. You should ask, point blank:

• How much are you investing in the development of gen AI in your products?
• Do you have a dedicated team evaluating and developing AI for cybersecurity?
• Who else is using your TDIR solution?

As your organization adopts gen AI in its supply chain, customer service, marketing, HR, product development, and other operations, your attack surface will grow. So, you’ll need to use these same gen AI capabilities to secure your AI data, models, and usage.

The bottom line? When attackers are using gen AI, your best strategy is to fight fire with fire.

For a more in-depth look at Muppidi’s recommendations for adopting gen AI for cyber defense, download “5 criteria for evaluating generative AI in threat management.”

The post 3 recommendations for adopting generative AI for cyber defense appeared first on Security Intelligence.

This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red teams pretending to be bad actors.

Every year the students’ mission is to mitigate the risk of the red team attacks and ensure their business successfully transforms, all while continuing operations. This competition is unique as it lets the students get a feel for the chaos and stress that ensues when an organization is compromised, undergoing major transitions all while continuing to provide value to customers and report progress to their leadership team.

I’m lucky enough to have founded the National CCDC red team with my good friend Dave Cowen during the competition’s second year. Having participated as a core red team member for almost 20 years I’ve worked with many students and seen massive shifts in the technology, both offensive and defensive. Interestingly enough, while technology has changed dramatically, and exploits and vulnerabilities come and go, many of the core lessons remain the same. These are some key lessons that underpin the successful teams year after year.

Communication is key

The reality is, compromise happens, things break, mistakes are made, systems do not always operate as intended. The best way to navigate through these problems is clear, concise communication. Ensure your team knows the next steps to take, who is responsible for taking those actions, and that your leadership chain knows what to expect next. Having incident and crisis response plans baked and tested in advance can help in this effort.

Understand what is exposed

Put simply, you can’t defend what you don’t know about. On the red team, we are always looking for systems that are not supposed to be exposed, administration interfaces that should be locked down, that one user account with the default or an easily guessable password. The good news is, you can do the same thing. With the ever-changing and growing complexity of today’s networks, it is critical to look at your network the way the attackers do. Build a list of exposed infrastructure, keep that list up to date and audit those systems regularly to ensure they are working as intended.

Plan for failure

Be ready for something to break. Being able to detect, adapt and deal with those failures is a major differentiator. Review your plans with an eye for corner cases or assumptions to prepare for what could go wrong.

For instance, you have a punch-down list of steps to harden your Linux system. Great. Will you still have access to that list if your internet connection goes down? What happens if the Linux system has an apk based package manager instead of yum? Do you know how to fix the package manager if it is broken? While you can’t plan for every possibility, make sure your plan is robust enough to enable you to jump over hurdles as they are put in front of you.

Overall, NCCDC is a unique and respected competition format, enabling student teams to experience the chaos of realistic compromises while managing the pressures of running day-to-day business operations. All of this prepares them for what to expect as they graduate and move on to careers in cybersecurity.

Congratulations to this year’s winning team UCF and to the nearly 1,800 students competing in the qualifying and regional competitions which represented 198 colleges and universities. We’re excited to welcome the next generation of cybersecurity professionals and look forward to continuing to learn from you in the coming years.

The post What we can learn from the best collegiate cyber defenders appeared first on Security Intelligence.

Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats. 

Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of approach can maximize investments by bringing new and existing security tools together, make SOC analysts more productive by moving their workflow into one place, and provide flexibility for organizations as their IT and security programs change. Our vision for a next-generation, open and integrated security platform  is built around three key tenets:

1. Open architecture: With the growing number of different tools and cloud platforms that organizations are using today, a next-gen security platform must be open enough to easily work with different tools from different vendors. Consolidating existing tools or moving data is often too expensive and complex to undertake, but adopting a platform that is based on open-source technology and backed by an open standards body allows teams to maximize existing investments by bringing all tools together in a standardized way.
2. Centralized hub: SOC analysts can improve their productivity with one primary system of record to manage their workflows. A centralized hub on top of an open architecture provides a way to fuse people, process and technology. This enables analysts to move out of the individual tools they use and streamline their work into one place while still providing the valuable data from the existing tools and decreasing the need to train the entire SOC on all of the tools deployed. The goal is to automatically put the right information in front of the right person at the right time to drive effective and decisive resolution.
3. Flexible deployment: Most organizations are using multiple clouds and on-premises solutions to manage their security and IT environments. And each is typically in the midst of their own unique journey to the cloud. A next-gen security platform that can deploy anywhere gives businesses the flexibility to choose what’s best now, and in the future, while avoiding lock-in to a particular deployment model.

SOAR is at the core of a next-gen security platform

Security orchestration, automation and response (SOAR) solutions are built on four engines as defined by Gartner: workflow and collaboration, ticket and case management, orchestration and automation, and threat intelligence management. The fusion of these capabilities improves SOC productivity and incident response (IR) times by bringing together people, process and technology. As such, these engines also provide an ideal basis for a robust security stack. Indeed, SOAR capabilities based on an open architecture and with a flexible, hybrid cloud deployment is the ideal approach for a security platform that fulfills this vision.

Placing SOAR at the heart of a security platform helps teams extend and maximize value across the ecosystem and to any security process while working in a centralized, coordinated manner. Incorporating SOAR capabilities into a next-gen security platform provides a foundation that will deliver several benefits.

Better communication within and outside the security team

Any SOC, especially a virtual one, requires seamless collaboration to guide responses and organize tasks — this is a key capability of a SOAR platform. Rather than starting from scratch, teams can work intelligently by following workflows embedded within dynamic playbooks. Furthermore, security teams can leverage the workflow and collaboration engine of SOAR to communicate with key players in different functions, such as IT, legal, HR or PR, helping to facilitate a coordinated and efficient response.

Improved efficiency with centralized case management

SOC analysts gain efficiencies from case management capabilities that can be managed from the centralized hub of a SOAR solution, eliminating the need to switch between multiple tools and dashboards. When case management is extended beyond the SOAR solution and into a broader security platform, it provides analysts with a common format to use across all connected capabilities. A strong case management function will also include dashboard and reporting capabilities to track metrics and KPIs, highlight trends and gaps, and elevate the business value of the SOC.

Maximum depth and breadth of the ecosystem

Security teams can maximize the depth and breadth of their ecosystems through an open architecture. An open, standards-based approach allows SOC teams to leverage the capabilities of a diverse ecosystem through integrations across a wide variety of data sources and tools and to capitalize on existing investments. The orchestration of these technologies extends SOAR capabilities while providing security analysts greater visibility into the ecosystem.

Placing SOAR at the heart of a next-gen platform allows customers to extend SOAR benefits beyond the incident response process for which SOAR was created to include any security process, such as vulnerability management, identity management, DevSecOps and more. This not only logically extends this investment to generate additional ROI but also yields KPIs about these processes, which can be used to drive continuous improvement and transform security’s relationship to the rest of the organization.

The post Why security orchestration, automation and response (SOAR) is fundamental to a security platform appeared first on Security Intelligence.

Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything.

But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists in cyber and what security leaders can learn from first responders.

What first responders and cyber IR professionals have in common

Troy Bettencourt, Global Head of X-Force Incident Response at IBM, has responder experience at multiple levels, with a background including military, law enforcement and cybersecurity incident response. According to Bettencourt, there are many parallels between military, law enforcement and cybersecurity incident responders.

“A lot of the things that make military and law enforcement successful — or help contribute to their success — is constant training and drilling,” he said. “When you have an emergency incident, if you’re part of an internal team and something happens, you don’t have to expend a lot of mental energy on the tasks that should be routine.”

To be successful, much like the military and first responders, incident responders in the cyber industry must have clearly defined roles and real-world experience. For example, they shouldn’t have to think about how to do a search in their EDR platform or how to query firewall logs or a SIEM.

“That should be practiced all the time,” Bettencourt said. “If you’re training and drilling that all the time, then you’re not consuming your limited mental energy and creating high stress, and you’re reserving the mental energy for the actual valuable tasks.”

For Bettencourt and the X-Force team, standardization is also key. “We want to make sure we’re approaching our analysis in the same way, so that if you have 50 systems to analyze and you spread that workload, you know that the findings can be trusted, but they’re also complete and that items weren’t missed,” he said.

Challenges for the cyber industry

One of the more tangible challenges for incident response (IR) is an overall commitment to cyber readiness. Unlike first responders, who have developed a high level of preparedness in their protocols, cyber still lags behind.

“There is still quite a ways to go,” said Bettencourt.

He acknowledged that while much of X-Force’s work skews toward large, more mature enterprise clients, some in certain sectors are still less mature. Small to medium-sized businesses and even larger enterprise organizations that don’t have the resources to invest in cybersecurity often lack the readiness for IR processes.

“Hopefully, it’s not viewed as an obstruction. The business has to adopt cybersecurity as part of the business and not as just a regulatory component that has to be complied with. Because the barrier to entry for cyber criminals has greatly diminished. It’s so easy to jump on the Dark Web and start getting tools and buying malicious Software-as-a-Service kits. It doesn’t take much to be a cyber criminal.”

But lurking in the shadows of the tangible challenges lies an intangible obstacle: responder burnout and stress. According to Bettencourt, studies have shown that, whether it’s cybersecurity, law enforcement, military or high-risk jobs, people often go over and above and beyond because of their team.

“They don’t want to let the team and their team members down,” he said.

With that responsibility, many IR professionals are often self-sacrificing and don’t look out for their own well-being. This can lead to significant burnout and stress.

“Now you have diminishing returns. You have talent retention issues, not just for the company, but for the field in general.”

Adopting the right mindset for IR success

To address the readiness challenges and keep pace with first responders, Bettencourt suggests the enterprise focus on three key areas.

Adaptability

While heavy standardization has its advantages, Bettencourt advises that organizations remain flexible. Especially in a field where technology and threat approaches are constantly changing and there is a constant desire to learn.

“Getting set in your ways in this field is a death knell from a career perspective because it’ll rapidly move past you,” he said. “I left the field for about three years, and it was like drinking from a fire hose when I got back — and I had been doing it for about six years before that.”

Encourage smaller teams

Building a small team culture has produced favorable results for the X-Force team.

“It’s an approach that benefits both the individual and the organization,” he said. “I think leaders really need to try to foster that structure, that culture of small teams where you can rely on each other, and by extension, people will go above and beyond because of their teammates. They don’t want to let their team down, which means they don’t want to let the business or clients down.”

Prioritize mental health

While mental health assistance is readily available in the cyber industry, it’s not discussed enough compared to first responders, where accessing such resources has become more normalized over time.

When it comes to trauma in first response jobs compared to IR and cybersecurity, Bettencourt noted that while there may not be as much physical trauma for cyber, the constant stress of working can build up over time and cause strain.

“Being an individual contributor burned me out,” he admitted. “At one point it was four months straight of 60 and 70-hour weeks. All I worked was ransomware and nation-state engagements, and it became too much for me and my family.”

Preventing burnout improves IR

Long hours are, unfortunately, very common in the field. So how can leadership develop the right mindset to reduce burnout?

“If you’re a business that just cares about the bottom line [and not your personnel], keeping responders happy is going to result in better performance and less attrition, which means less talent acquisition costs. In cyber, it still takes time to bring them up to speed. For IR, generally, if you lose somebody, it’s about six months before you get a replacement that can really contribute, which then means you’re burning your other folks out,” Bettencourt said.

“So from a purely business, mercenary perspective, even if your organization is not employee-focused, it makes sense from the standpoint of performance, client satisfaction, delivering quality outcomes — from the standpoint of nurturing talent, maintaining talent, reducing talent acquisition and retention costs. To me, it’s a no-brainer. You have happier people, and when people are happy, they will typically work harder for you.”

By learning some lessons from first responders, organizations can be ready to face whatever the next cyber crisis brings.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post What cybersecurity pros can learn from first responders appeared first on Security Intelligence.

Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.

IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force responded to, followed by Colombia with 17% and Mexico with 8%. Peru and Chile split the remaining 8% of incidents.

In the face of rising incident volumes, the cybersecurity professional shortage is still a serious issue. According to the (ISC)2 Cybersecurity Workforce Study 2022, 3.4 million trained cybersecurity professionals are needed worldwide to deal with all of the cybersecurity attacks and help organizations minimize the impact of cybersecurity breaches.

As the talent shortage continues and threat actors refine their methods, cybersecurity professionals rely on a wide range of tools to stay ahead. There are paid commercial tools and free, open-source tools corresponding to a varied ecosystem of utilities designed in different programming languages (Python, Perl, Bash, PowerShell, etc.). These tools enable the automation of tasks to preserve and analyze artifacts related to forensic analysis and incident response, such as random-access memory (RAM), event logs, network connections, browsing histories, cache and more

One such tool is Tequila OS 2.0.

What is Tequila OS 2.0?

Students from the National Autonomous University of Mexico developed Tequila OS 2.0, the first Linux distribution in Latin America, specializing in performing forensic analysis in Spanish.

The post Tequila OS 2.0: The first forensic Linux distribution in Latin America appeared first on Security Intelligence.

Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.

That situation is what the average cybersecurity and response analyst deals with.

The concept of “alert fatigue” is real. A March 2023 study commissioned by IBM and completed by Morning Consult found security operation center (SOC) team members are “only getting half of the alerts that they’re supposed to review within a typical workday.” That’s a 50% blind spot.

Moreover, the same study found that most security analysts spend about a third of their typical workday investigating incidents that are not real and that the majority of threats are either low-priority or false positives.

Now, given the above, add in some desensitization to alerts, along with the disjointed, missing, or untested review, response and escalation processes, and the people, process and technology trifecta breaks down. The result? A successful attack.

The cost of delayed detection

A late spring 2023 supply chain attack on a communications provider shows how alert fatigue can contribute to the success of a cyberattack. Go back to the 911 call center: the stream of calls is not stopping, including the “Where’s my pizza?” hysteria. After a while, the call operator zones out. But what if one of those food delivery calls is really something else?

Let us go back to the cybersecurity world for a moment. Just to complicate matters, imagine more “call centers” (or detection tools, such as SIEMs and log aggregators and analyzers) are now triaging the same call but coming to different findings.

Some usual by-products caused by a thwack, or overuse, of similar tools and detection solutions inside the security stack are conflicting results, complacency and information paralysis. All of these issues result not only in delayed detection but also delayed action.

If you are a security operator, have you ever been:

• Overwhelmed by the level of data to analyze?
• In a situation that seems to have over-complicated itself?
• Fearful of making the wrong analysis or taking the wrong action?
• Faced with too many options and unable to choose?
• Stuck in the “I need to do more research” feedback loop?

If you have ever experienced these situations, it is quite likely information paralysis has fully kicked in, and response is likely to suffer. So what are the mechanisms to avoid this? Look into the people, process and technology trifecta, and some of the risk management answers lay there.

The right people and processes reduce fatigue

The cybersecurity skill gap, both in terms of available persons and experience, still exists. Therefore, finding the right people is a matter of hiring processes aligning with business needs and ensuring the necessary resources are available. An organization cannot use the “woe is me” line if investments in personnel are not there. Somebody has to run the machines but also give them a reality check.

Where it begins to get challenging are the processes. The processes are very much the bridge between people and technology, enabling sound decision-making. For example, reviewing an alert in isolation from other relevant factors could lead to the wrong action. Context matters. An analyst should not be pulling the fire alarm over a false positive.

Additionally, consider the “who” when it comes to analysis. Is there an escalation matrix available? A peer review process? Anything that does not put the weight of the world on a single person’s shoulders?

As threat investigators try to put the puzzle together, ask these questions. Are we:

• Getting the right alerts, and in a timely manner?
• Able to discern where discrepancies are coming from?
• Missing anything?
• Able to make a decision based on the information we have?
• Being kept honest by somebody else?
• Perhaps most importantly, looking at noise or signal?

Given the overwhelming amount of data and traffic, this is where the right tool stack for you can make all the difference.

The right technology streamlines and triages alerting into digestible pieces

Perhaps the best argument today for integrating more (appropriately tuned!) automation is burnout and fatigue. But remember: automation, orchestration and artificial intelligence, for their own sakes, are not the best investment. That is why “appropriately tuned” is an important caveat.

The most ideal situation is when your SIEM, SOAR and EDR solutions manage the low-hanging fruit. Put another way, the solutions manage the “noise” eating away at your staff’s time so that staff can focus more on the signal. Effectively, your technical solutions are doing the grunt work for you, triaging and funneling what looks to be serious to a human set of eyes. Those eyes — which should have greater context and understanding of the situation at hand — can now focus on the serious work but still maintain the ability to “look back” at what actions the automated tools performed.

To round out the technology piece of this conversation, keep these two thoughts in mind:

• Less can be more. More tools can create more alerts, including conflicting information. Streamline the technology stack where possible. Some products work well together; some do not. Do your homework for what is right for you.
• It’s a tool, not a crutch. If your technology solutions lack human oversight, expect a culture of complacency and knowledge reduction to creep in. Do not become dependent on automation, especially if it is only doing what it’s told.

In closing, look to technology not as your savior to the alert fatigue problem. Rather, treat technology as your partner that can do a good deal of the mundane heavy lifting. Do that, and you can focus your time on the threats that matter and ensure you do not fall behind answering those real emergency 911 calls.

The post Alert fatigue: A 911 cyber call center that never sleeps appeared first on Security Intelligence.