by: VMware Senior Security StrategistCraig Savage,
When I was learning to fly light aircraft, one constantly reinforced concept was that should anything go wrong you, as the pilot, must focus on three key phases—in this very specific order:
Aviate: Fly the plane. That means get yourself back in control and out of immediate danger.
Navigate: Figure out where you are and where you need to go—then ensure you are headed in the right direction.
Communicate: Let people know what is happening, either the flight controller that you’re currently in contact with or, if appropriate, a Mayday call to mobilize rapid help.
These three mission-critical phases are one reason flying continues to be the safest form of travel. To put it another way, air travel is a secure proposition indeed!
Which brings me to the point of this blog.
Flying high with cybersecurity
Over the years, I have discovered there are distinct parallels between the aforementioned pilot tenets and the cybersecurity world. In fact, I have witnessed many occasions when, during a major incident, a clear order-of-response priority would have significantly accelerated the resolution time.
Therefore, I posit a similar ‘pilot’ methodology for cybersecurity needs, with three different keystone protocols of course. These are phases that InfoSec teams would always employ regardless of the situation.
Contain: Begin this first phase by remembering that security is a team sport, and you always have your ‘flight crew’ for back up. Contain is similar to Aviate, as the priority is to get the event under control via a select (and small) need-to-know team. This directly involves the Incident Response (IR) team whose goal is to identify the scope of the issue at hand, as quickly as possible. The focus here is on damage limitation and to gain clear knowledge of the issue in the fastest time possible. For example, to stop the spread of the ransomware, shut down network transit points to contain the virus spread, and/or get a real understanding of whether data has been stolen. This sets the stage for the Crisis Management Team (CMT) to effectively tackle the later Communicate phase.
It is imperative to know what you’re dealing with before you start trying to solve it, again similar to a pilot in flight who must immediately determine if the issue is an engine, wing, landing gear, or something else.
Remediate: The second phase is to determine the next steps to facilitate recovery, and set those actions in motion. If you’ve done the Contain phase correctly, then you should have a good idea of what needs fixing—or what precisely was stolen—to deliver superior value. Get the recovery efforts underway, ensure you’re making progress (even if it is slow), and limit the number of ‘problem-solving’ meetings. Decision paralysis is a real risk at this point, so plan with a bias for action. After all, no flight crew or ground control group ever said they wished they had more meetings during a crisis.
Communicate: Other than required emergency communications to muster various teams, this is the first time to actively relay event facts to relevant personnel. Delaying communication until this point prevents extra people from ‘helpfully’ trying to assist in the Contain or Remediate phases. When you do decide to communicate more broadly, make sure you have all your ducks in a row. Until the best-known facts are available, jumping the gun on communication can have detrimental effects (including offering threat actors another advantage). At the end of the day, everyone ultimately appreciates the truth versus rumor or speculation.
By following three distinct phases in cybersecurity emergencies, enterprises can fortify their response game.
As a private pilot, I make it a habit to practice emergency drills whenever possible—keeping your skills sharp means you’re statistically more likely to respond better, faster, and with a higher chance of success. The same holds true in piloting the airspace of cybersecurity:
- Insist your IR teams have regular practice
- Ensure you have the means to contact them and your CMT if an emergency occurs. (At VMware, we have even deployed satellite phones)
- Remove guesswork by adhering to the above formula
Isn’t it time your team took a lesson from the safest form of travel?
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or [email protected] to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.