I hate the term "breach" - please call it a "security incident" - but the term "breach coach" is certainly ingrained. Posting today's presentation on the role of the coach as I step out the door to an insurance sector event.
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Role of a breach coach
1. Incident Response and the Role of a Breach Coach
Incident Response and the Role of a Breach Coach
September 29, 2017
Dan Michaluk
2. Incident Response and the Role of a Breach Coach
An Incident Response Primer: The Linear Model
2
Prepare Identify
Contain &
Restore
Analyze
Mitigate &
Remedy
3. Incident Response and the Role of a Breach Coach
An Incident Response Primer: The Analytical Model
3
Feedback (affected persons, media, regulators, government and other stakeholders)
Input
Witness statements,
system data, system
specs, existing policy
and procedure, law,
intelligence re
malicious actors
Process
What is the
exposure? What was
the cause?
Output
Contain and
restore,
mitigate, remedy,
communicate
• Contained or
restored
• Reasonably
understood
• All reasonable
steps taken
4. Incident Response and the Role of a Breach Coach
Enter… the “breach coach”
• A breach coach is
• a lawyer
• who knows the incident
response process
• and provides counsel
on the process
4
5. Incident Response and the Role of a Breach Coach
Why use a breach coach?
• You’ll support you
process with
• Legal advice
• Breadth of experience
• Objectivity
• Confidentiality
5
6. Incident Response and the Role of a Breach Coach
When do I call?
AFTER…
• …you’ve confirmed that you
have an “incident” (i.e. a real,
non-trivial failure or problem)
BEFORE…
• … you take any containment
steps other than those that
must be taken
• … you take any external action
• … you let a large group of
people know internally
6
7. Incident Response and the Role of a Breach Coach
What to expect on that first call
• The coach will determine what you know and assess
what you don’t know
• The coach will conduct a preliminary assessment of
scope, exposure and “clock speed”
• The coach will recommend a communication protocol
• The coach will make recommendations on next steps
7
8. Incident Response and the Role of a Breach Coach
The clock speed concept
Fast-moving incident
• SIN and DOB likely taken by
a hacker
• Errant e-mail sent to 1000
parents
• PI included on envelope
Slow-moving incident
• Video surveillance system
left unsecured
• Former employee e-mailed
payroll information home for
work purposes… unclear if
retained
8
9. Incident Response and the Role of a Breach Coach
Communication and privilege
• Privilege gives lawyers and clients a zone of privacy
• Solicitor-client – communications for purpose of
giving and receiving legal advice
• Litigation – dominant purpose is to address
contemplated litigation
9
10. Incident Response and the Role of a Breach Coach
Communication and privilege
PRIVILEGED
• Client to lawyer: I’m
really worried we screwed
up. We knew this was a
problem eight months ago
and didn’t fix it!
NOT PRIVILEGED
• IT staffer to IT staffer:
I’m really worried we
screwed up. We knew
this was a problem eight
months ago and didn’t fix
it!
10
11. Incident Response and the Role of a Breach Coach
Communication and privilege
• Elements of good protocol
• Size of internal response team limited
• Written communication outside the scope of privilege
limited
• Outside experts retained by the organization for the
coach
11
12. Incident Response and the Role of a Breach Coach
Outside experts
• IT forensics
• Communications
• Response and
notification services
• Security consulting
12
13. Incident Response and the Role of a Breach Coach
Going to the regulator
• Go on the advice of your coach
• Regulators a mandate to hold you accountable
• A regulator is not a freely-available breach coach
• It may be appropriate to go to the regulator at the outset
• But if you do, your clock speed will immediately increase
and you may lose control
13
14. Incident Response and the Role of a Breach Coach
Going to the police
• Go on the advice of your coach
• Will rarely discharge your own duty to investigate and
take reasonable steps
• Can invite a loss of control over a situation over which
you have control (e.g. known student hacker)
• But when you are at an end there may be little downside
to engaging the police and trying to get some help
14
15. Incident Response and the Role of a Breach Coach
The press and external communications
• Can be used against you
• All external messages should be controlled
• In general, messages
• Are factual and appropriately qualified for uncertainties
• Do not misrepresent or mislead
• Demonstrate (by conveyance of facts) genuine concern
15
16. Incident Response and the Role of a Breach Coach
Incident Response and the Role of a Breach Coach
September 29, 2017
Dan Michaluk
Hinweis der Redaktion
1
-incident response is a process
-various models
-they all look like this
-this one, I believe is from, ISO/IEC 27035
...
-the last three are linear
-but they are iterative and loop
-to be clear, analysis supports both containment, mitigation and remediation