Alert: Tracking exposed OT/ICS: 2017 – 2024

Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

The Connected Avengers

Cyber Bob, Principal Security Engineer and CTO at Forescout | May 8, 2019

Twitter: @MeetCyberBob

There seems to be an almost symbiotic relationship with technology and the movies. The perfect spark of imagination needed to identify something that SHOULD be made. Being in the device visibility and control market space, watching a movie like Avengers Endgame has my heart pounding. Think of all the new devices that are coming?

This also has me thinking, as Cap – yes, that is what I call Captain America – says: “Whatever it takes.” This is also a good thought, but how does this become a plan for incident response? It can’t be to simply create a team and execute. Your incident response plan needs to be rehearsed. Most of the plan should be an active part of your team’s daily activity. Not just a book you grab when something happens.

Technology is evolving every day, as we all demand it to evolve. So, do the requirements in security awareness, compliance, and traditional IT asset management. These are all effect rungs in the incident response wheel. Let’s break this down even further:

  1. Do you know what you have?
    • Even better who owns/operates the technology connected to your environment?
    • What about the risk this technology provides to your environment?
    • Do you have a value assigned to each of these assets? (what happens when this technology is down for 5 minutes? An hour? A Day? Or no longer usable?)

    This is paramount to your success and speed in an incident—location awareness for real-time or near real-time tracking is a critical variable that is available to you today in asset visibility. Don’t see that as a nice to have, make it a MUST have in your daily operations. This also means a change in the amount and type of data collected. Doing this work now spares future pain.

  2. What intelligence do you have about the types of threats targeting your organization?
    • How are you monitoring threats internal and external to your organization?
    • What ecosystem of information sharing are you leveraging on your Team of Teams?

    Security without awareness is like jumping into battle against the adversary that is right in front of you. Never understanding that the adversary close is often controlled and reports up to a higher authority. You also need to think about an escalation to activity. What sensors are deployed to tell you IF something is broken? Even if this does not mean a security event, it is still a potential for an incident.

  3. What is the corporate escalation path?
    • What knowledge do they have of current risks to the enterprise related to cyber?
    • Have they enabled the cyber expertise to work as a team?

    Especially when talking to large organizations that have many types of business units, some or all operating in their own vertical and their own budget. They don’t leverage the corporate expertise to manage cyber. Have you heard the term digitalization? Factory 4.0? This technology is evolving to be interconnected and is significantly changing the RISK landscape. Cyber is no longer an outsider’s term, it needs to be embraced and the teams need to be enabled. The business, or sub-OPCO, needs to align with good cyber hygiene and plan for better maintenance and security infrastructure. When the incident happens, take steps to immediately respond, in a coordinated, practiced manner.

Just like every great comic book there will be heroes and there will be villains. Each of the heroes won because they practiced 10,000 times with their teams on what the plan is, planned for contingency and executed well. The plan is flexible but leverages cross-functional information for each role and is embedded into the daily lives of activity.

For more of my musings on all things cyber, click here.

Demo Request Forescout Platform Top of Page