Security Panel – The Cybersecurity Show – S1Ep4
WILL SPALDING [00:00:32] Hello and welcome to episode four of Security Panel brought to you by celebrity in this episode. We’re going to be talking about incident responses and in particular effectively how it’s not only just affecting businesses, but it’s also affecting the way how institutions are run as well, such as the NHS, but also within within general government, but also within day to day life. In particular, I’d like to introduce somebody who is an expert within this field. So I’d like to introduce Andy Yates, who is a senior engineer for IBM Security. Andy, thanks very much for joining myself.
ANDY YATES [00:01:05] Hey, thanks. Great to be here.
WILL SPALDING [00:01:07] A pleasure having you on. So give us a little bit of an overview Andy about your background itself. How many of you have worked for IBM security for and really your role there on a day to day basis?
ANDY YATES [00:01:18] Yeah, sure. So I work at IBM, I’m a senior engineer within the security business, so I specifically work with an instant response. My role is a bit of a hybrid. So I work from the pre-sales capacity right up to pre sales. So I go into an organisation we scope, we architect a solution and make sure it’s a good fit. Make sure it achieves the business objectives right through to then the post sale. So I get a good understanding of the implementation side of things and the journey and the roadmap that customers have gone on in terms of maturing in this instant response space.
WILL SPALDING [00:01:49] Yes, it’s great. The fact that you like you said it, you take people on on a journey really from start to finish essentially and in implementation. Now, in a nutshell, for some of the viewers at home who don’t really know too much about instant response, can give us an overview really of how that affects or where that plays a role within cybersecurity.
ANDY YATES [00:02:09] Yeah, sure. So instant response is really the process or steps taken to address and mitigate a data breach or data leak or subsequently instant essentially is a part of the three pillar security model. So looking at how you respond to that, so what from the detections reach the response phase of of an incident?
WILL SPALDING [00:02:30] And what would you say the key areas of cybersecurity incident response is are then in particular I mentioned we’ve had this this SOAR acronym been mentioned before on previous episodes as well, but I don’t know if that plays a role within it where you work.
ANDY YATES [00:02:46] Yeah, definitely. So SOAR stands for security orchestration, automation response. Essentially the key aspects of this SOAR piece is really around orchestrating automated. And the idea here is about helping to accelerate that response or reduce that response time so that you can reduce the overall risk is a business. So essentially, you know, within that it’s looking at, as I said before, you know, automation and the orchestration, you know, having threat intelligence and some level of artificial intelligence and bringing it all together into a single solution across your your wider security estate to be able to respond to these these threats as effectively as possible.
WILL SPALDING [00:03:22] That’s really interesting. So how important is it for a business to have an incident response plan?
ANDY YATES [00:03:28] So, yeah, it’s incredibly important. You know, some maturing in the spaces is extremely challenging and some maturing into this space takes a lot of effort and namely around things like automation, for example, you know, with automation, that’s a key aspect in reducing that time to respond. But to get it right is really difficult because as we know, automation requires data certainty and that’s something that is very much missing in the cybersecurity space. So, you know, it needs to really be, you know, kind of a journey, a roadmap in any vendor that’s going to you and sending you a silver bullet. This is going to solve your your challenges. You know, I question that, right? You know, it is very much a journey to mature into space. So I think automation is one of those biggest challenges around that.
WILL SPALDING [00:04:08] I mean, you mentioned the automation aspect of it being one of the challenges for implementing it. Are there any other particular challenges that you could find as well?
ANDY YATES [00:04:17] So, for example, the amount of disparate tools, right. So a lot of organisations, especially the larger ones, will tend to invest in a lot security products. And that’s great. Right. But the problem with this is actually you get all of this great data that could be really useful in responding to cyber threats, but they’re all allocating and disparate from each other. So although you might have all the information you need to respond to these threats, they’re not, you know, together. And that’s the important aspect is, is being out to contextualise an incident with all this data. And, you know, I really do hate using that time of, you know, a single pane of glass. But this is a great example of where something like that is is crucial in trying to determine, you know, triage and actually investigate that incident.
WILL SPALDING [00:04:56] Right. I mean, it’s all fantastic in terms of relating it back to this incident response, really. But moving on to something that is hopefully going to captivate our viewers at home, there’s a certain branch of IBM, which is IBM x force, and they actually created the command centre back in 2016. And more recently as well, the CTOC truck as well, which stands for cyber tactical operational center. I hope I got that right. But first of all, I actually went there. They’re actually in London a couple of weeks back, actually. And I actually saw. So the demonstrations so I already know about it, but for people at home, can you give us a little bit of an overview of really what x force is all about and really what the CTOC truck does to help clients?
ANDY YATES [00:05:42] Yeah, so. So the CTOC truck is is really about helping organisations to identify how prepared they are. It’s a training exercise. So essentially, you go onboard this is monstrous truck full of the latest technology. And what it does is it actually simulates an instant. Right. Right. From an early, early stage of, you know, you’ve been given it. Instead, you’ve got to respond to the journalists, the interviewer is right through to responding. Being able to track it trace it, investigate it. And the idea is about, you know, as I said, pointing out those gaps in where your security eyes or looking at how prepared you are responding to these cyber threats and ultimately when we start talking about instant response. That is one of the biggest challenges, I guess, is around your preparedness. Being able to be prepared for cyber incident is actually crucial in whether these things like playbooks really come in handy.
WILL SPALDING [00:06:30] Yeah, it really is a physical mean machine as well. It is an American big truck is essentially one of the ones that you see on the road out there. And it’s it’s impressive stuff, to say the least. And the great thing about it is the fact that it does. I mean, I was in there at the time and, you know, it does put people under pressure to basically be able to respond to it and you see it all in real time. Exactly. And it’s very impressive. You know, in terms of your experience as well, because obviously you’re a senior engineer there for IBM security. I mean, how would you say organisations are prepared for instant responses and how highly vulnerable are businesses when coming under cybersecurity threats and on almost like a day to day basis, really then, isn’t it?
ANDY YATES [00:07:11] Yes, definitely. So, you know very much this is still an extremely vulnerable area. You know, when we look at the industry, an organization has over 100 percent success ratio, whereas if you’re an actor needs a one percent opportunity. So we’re always going to be on the back foot. And no matter what solutions we put into, you know, prevent or even detect these solutions, you know, ultimately it’s going to be a case of when you’re breached. And so so ultimately, you know, this aspect of this response phase is all about, you know, when you do get a breach, how efficiently can you respond to that? Now, if we look at statistics, it generally takes around 14 days for a three actor to get that initial recon right through to achieving on his objectives. And if we look at other statistics, it takes on average organisations 66 days on average to respond to these cyber cyber security events with these data breaches. So when you look at these two types of data, you start to see a correlation. Actually, we’re just organisations are not prepared for cyber instances. There needs to be a significant reduction in that time to respond. So, you know, that that to me is one of the biggest challenges around that.
WILL SPALDING [00:08:13] And obviously, there’s a saying within IBM and also Celerity as well of when, not if you’re going to be essentially attacked at some stage. I mean, from your perspective as well, can you give us some sort of high level advice to basically give companies for when they can respond to a cyber attack and not just incident response, but internally as well? What what how can people go about it in a mature and I suppose a calm approach as well?
ANDY YATES [00:08:41] Definitely. So, you know, personally, I think it all comes down to process, you know, and it’s is a challenging one. Right, because no two processes are ever going to be the same, because every time we get an incident, that threat could be completely different. So it need to be a dynamic approach. But ultimately, it does need to have a process. A process highlights that, you know, you’re prepared for an incident, that you have a method of investigation, you know how you’re gonna respond to it. And ultimately, that is what is going to make a huge amount of difference. Now, ultimately, part of that as well is that protection phase. You know, before we get to that response, you know, you need good data. All right. We can prevent what we can prevent and we can detect what we can. But if you have bad data around what you’re detecting going into your response phase, that’s only going to create more of an issue. So it really does have to be a tiered approach on how you progressed into this kind of model. But, you know, my advice really is focus on simulating an incident, have some kind of, you know, red heart blue type event, you know, capture the flag events, these types of simulations, really how to highlight where, for example, you have bottlenecks, you know, where your process isn’t good. And that altogether when you start building this together is where you can start see the biggest significant changes in your efficiency and your accuracy of responding as well.
WILL SPALDING [00:09:52] That’s all well and good for larger organisations or even, you know, larger size SME as well. On going 200 plus to have these in place. But for some of the smaller organisations who maybe don’t have the same sort of budgets, especially on I.T budgets as well, to how can they go about and really look and digest what you’re saying and go to how can we implement these? Okay. We appreciate there’s threats in place, but how do we go about it when we don’t have the same budgets as, say, these larger organisations as well?
ANDY YATES [00:10:23] Yes. And it’s a really great point. Right. You know, not all organisations are going to be able to afford an IP or social platform. You know? Ultimately, it’s about leveraging that capability that you can get for any solution. So things like having a process that’s still consistent. Right. You can even if it’s paper based. Having a process to follow it will significantly improve. As you start to progress up more. You know, you can start to leverage some of these other kind of three free services. So, you know, looking at some of the free trade intelligence services out there, you know, having a process in place. These are probably the main aspects that you’re going to be out to get without having an IRP or SOAR platform. But as you start progressing up, that’s where you need to start understanding what you can do.
WILL SPALDING [00:11:04] There’s a lot of consultants out there as well who offer these these services. And I think sometimes people are pretty obvious. There’s businesses here to to capitalise on this as well. I think generally speaking, there’s a bit of a community aspect of it as well. This is a real problem. I think we’ve got to cover each other’s backs as well because it affects all of us.
ANDY YATES [00:11:27] Yeah. definitely, I mean, you know, there’s huge communities out there. They talk widely open around, you know, some of the threats that they’re facing as an organisation. You know, having somebody I know it’s difficult as a small organisation, but focussing around looking at the types of threats. Now we look at an example of a small organisation, something like a charity. Yes. Their risk profile is going to be much smaller because that, you know, that potentially not going to be faced by the same types of threats as some of the larger organisations, such as financial institutions. But they’re still going to potentially have risk profile having somebody understand that, you know, determine what types of threats they’re going to face, having a process, simulating an incident or getting together and at least knowing how to respond to it. If it’s just two people working in this organisation is gonna make a huge amount of difference. And like you say, there is there is consultants out there that can help you with this. And it’s something to certainly look at before you may potentially invest in an IRP platform
WILL SPALDING [00:12:16] It’s also opening it up to a board level. This is something we’ve spoken about previously and other episodes on security panel, which is opening up on an educational standpoint as well and for everybody in the business to be able to to understand the threats and in particular cases. I know we’re not talking about it necessarily today, but phishing attacks and for people to be more aware, generally speaking as well.
ANDY YATES [00:12:39] There’s been distinctly quite a significant detachment. You know, quite often the I.T. department or security operation centres are seen as overhead. And that’s something that needs to change. Right. Because people are now starting to realise the impact of what breach is going to cost. And usually it’s quite significantly understated from what they expect it to be. In reality, it’s much, much more. And so actually, what, you know, the organization is doing is protecting an organisation and that has a value in itself. So I think they need to be better alignment, better investment and organisations to actually understand the importance of this. It’s like perimeter security. You know, you wouldn’t go to your organisation and say, you know what? We’re not going to invest in putting barriers up or or securing gates or CCTV cameras because we don’t see the value in it because nobody is going to want to walk in and steal anything. It’s the same in cyber security and it’s not progression into the next phase as we become a digital organisation, having, you know, some kind of security posture, not just from, you know, in-house user perspective, but also what do you do when you are breached? You know what happens if there is a cyber attack? Who would you turn to? You know, do you have the contact details for someone like X Force Iris team to help you when when something does go wrong and you need support. Right. It’s these situations that organisations that kind of bridging the gap me to need to really focus on.
WILL SPALDING [00:13:55] Yeah. So, Andy, we mentioned earlier about some of the challenges that organisations face as well. I mean, going back to that point again, what would you say the biggest challenges are from your experience that organisations have to deal with on a on a daily basis? Really?
ANDY YATES [00:14:10] Yeah, definitely. So know, I think there’s a few levels of where the challenges exist, right? Right. From things like skills shortage, we know that there’s a massive shortage of people that are skilled and capable of doing this job. You know, right from level 1 to level 3. And that in itself, you know, having some process in place is going to support that. But again, it’s still a challenge. Things like disparate data, sources being able to contextualise the incident know in a single place is again a really significant challenge. And the volume of that data is also challenge. But then, you know, we look at the bigger challenges of when you start to actually mature into the IRP space, things like automation can be a real challenge as well.
WILL SPALDING [00:14:47] Yeah. You finally just mentioned automation there as well, which is is key to all this. I mean, obviously it’s a great method really to improving response times. But what would you say some of the drawbacks are with automation? And you know, I suppose, again, talk about it. Where are the challenges with automation?
ANDY YATES [00:15:04] Yeah, definitely so. So a challenge with automation is really around data certainty to automate something you need, you know, a very high level of certainty that the action you’re going to do is not going to cause an impact to the business. A great example where, you know, you potentially can’t automate something is looking at things like remediating machine or or disconnecting it. If you’re letting some kind of, you know, tool or solution, make that decision for you. You need to have a very significant, you know, confidence in it. And you’re just not going to have that and that’s that’s very consistent with cybersecurity. We lack that level of of of of trust that the level of certainty around it. And so maturing into it really does come down to, you know, to find new processes, defining what you can automate and what you do have the ability to automate. And then what is left over, you can then start to look at orchestration. And this idea of orchestration is the concept of essentially keeping the automation, but allowing the human element that the analyst to make the the appropriate decision on when it is a good idea to execute. And ultimately, you know, I’m a really strong believer that in this whole model of people processing technology, technology really is the the least important it’s the people and process that are going to make the biggest improvement or impact. And no matter how complex or sophisticated these solutions are, we’re not going to be able to replace the intelligence that an analyst is going to have around investigation.
WILL SPALDING [00:16:27] Yeah, it’s it’s not underestimating are our skill set in terms of basically decision making. I mean, sometimes we get it wrong. But you know, if you’re skilled enough, then you’re going to be able to hopefully analyze it and create the right decision. Now, moving on, we’ve all heard about what happened before with the NHS, with Warner Cry. I mean, can you give us any real world examples of where organisations have responded to cyber incidences and really learn and from that from these incidents really benefited from from areas where they can improve?
ANDY YATES [00:17:00] Yeah. So I could talk about an organisation I’ve worked with in the past. So they had a ransomware attack. Now, this was before they had any kind of opposition and consistent with the industry. Right. It takes a breach for them to actually realise where they’re potentially lacking these issues. You know, the key issues they had was collaborating with the individuals right across team being able to decide who had ownership or even control over it. Right. So it would be very clear that during the investigation, they didn’t know who was working or what whereabouts they were within investigation. And that process and all of these issues extended it to the point where the ransomware actually spread quite significantly across their estate. Now, in contrast, they the organisation was later breached after they again right during this this maturing process. But what they did notice is that they significantly reduced that time to respond because they had gone through this this formulated program, this formulated plan of essentially defining automation. They could do they had a process in place. They had a tool to actually help them with ownership. Who was owning it? What tasks are being completed? When was the next task due? And then underpinning all of that. They also then used this ability to to actually define what metrics they had. And metrics, again, is probably something that is quite often overlooked when we look at this space. Right. Because, you know, it’s all very well looking in instant, investigating and responding to it. But ultimately, when we come to actually want to improve and prevent these issues from happening further, what we need to do is understand we need to have a post process, review process. And what we’re gonna do there is going to build that into analytics so you can start looking at things like, you know, type of instances that you have understanding the you know, this is how long it takes to complete a process. And all of these aspects help you to then build up a better idea of your organisation, the value that the SOC is bringing. But more importantly, closing those vulnerability gaps around some of these breaches and also help to identify what aspects of the organisation, maybe its detection phase, maybe it’s the prevention you are looking at a firewall or something. These elements are going to help to define what you need to focus on to improve. So so the organisation going back to that, you know, they saw a significant improvement and reduction in time just through, you know, some very basic easy to do automation and then having a process and planning.
WILL SPALDING [00:19:20] This Who, what, where, why approach. And seeing really why or who is who has done it in the first place as well can really, I suppose, allow for the right response moving forward as well. Just just quickly as well, because unfortunately, we are running out of time. Do you have any closing advice for the viewers at home who want to find out a little bit more about instant response and really the first steps they can go about to to taking up what your what you’re saying is as guidance?
ANDY YATES [00:19:49] Yeah, definitely. So, you know, I’d really recommend reaching out to IBM. There’s plenty of information online again Celerity as well. You know, if you have any questions, I’d recommend looking on some of the channels that we’ve got this huge amount of information around understanding cybersecurity, you know, maturing into automation space. There’s plenty of data out there. So that would be my advice.
WILL SPALDING [00:20:12] Fantastic. Well, Andy, I really appreciate you coming on. It’s an absolute pleasure having IBM Securities perspective on this and really talking about instant response generally rather than just obviously specifics as well. So it’s really, really great to get your perspective on it.
ANDY YATES [00:20:28] Really appreciate it, thank you so much.
WILL SPALDING [00:20:28] Join us next time for another episode of security panel where we’ll be discussing more things happening within the cybersecurity scene as well. I’ve been Will Spalding. I hope you’ve enjoyed this episode. We’ll see you next time.