Marianne Bailey has provided high-level government advice during some unusual cyberattacks from the Office of Personnel Management to Notepeta. Now the Guidehouse’s cyber security practice leader, Bailey’s service as Deputy National Manager of National Security Systems (NSS) and senior cyber security executives at the National Security Agency gave cyberdocs unique insight into the ways in which cybersecurity is spreading and impacting public and private enterprises.
Here, he talks with Richard Pallardy for InformationWeek and offers detailed advice on how to renegotiate contracts with third-party providers, ensuring the highest possible response to an attack.
Talk to me a little bit about incident response simulation tests. How do they run better? What kind of gaps should they check?
Doing tabletop exercises is really good. They are very effective when it comes to incident prevention and incident response. Companies have to do them every year.
There are many people who have a role in the response that you don’t usually think of. You think the IT department should fix this. Perhaps the chief information security officer has a role in it. Well, guess what? So does the CIO, CEO, CFO, and CPO. These people need to know their roles when it comes to chaos. It is not time to figure it out during the chaos.
I was in the Pentagon when the Office of Personnel Management (OPM) records were stolen by the Chinese – records of 24.5 million people, 80% of them were Department of Defense people. The Secretary of Defense decided that we were going to do a reaction action. This is the first time we have responded to such an incident. It became incredibly political. We were informing Congress. We were talking to him at the White House. It was during that ordeal that I first met our CPO for the Pentagon and DOD. It became obvious that a lot of money was being spent on this. But we had to figure out where we would get the money and how we would respond to it.
The White House decided that we should send paperwork to every affected person. The logistics of finding them were a complete ordeal. My team came to me one day and said, “We still need $ 500,000.” I was like, “What’s that for?” Stamps. We had to find someone who would print the letters. Which organization owns these huge presses and can print these letters? We had 30 days to do all this.
Unless you engage in something like that, you will not understand all the different pieces and parts involved. Every day, I was learning and learning and learning. Running tabletop exercises really helps a lot. You do mock drills. We had an incident. This is what happens when we encounter it in real life.
What types of escalation channels should be open to ensure effective response? Are the channels you see frequently neglected? What parts of the business do not normally communicate?
There should be a high level team in the company that handles the incident. They should meet frequently. Then they forcefully multiply. He is not alone in responding to attacks. You can call the CEO and CFO and CIO and possibly general counsel every day and talk about what they are learning. Everyone plays their part in that reaction. So, if a letter is to be sent, legal counsel will look at the words on it. If there are internal issues to resolve, it will probably be between the CEO and the CIO.
Often the CISO does not communicate with the C-suite they should have. As they interact with the C-suite, the response to the entire event is excellent.
What should companies look for in reviewing their third-party incident response support agreements?
Every company is so different. Some of them have pretty sophisticated incident response teams and some of them don’t. It is up to them to bring out roles and responsibilities.
With Tier-1 support, someone is watching the running content. Their setup warns of the fact that something bad has happened. He’s going to turn into a Tier-2 guy and say, “Hey, can you check this out and see if it’s really any bad?” And so the Tier-2 guy sees it. Maybe they see a laptop or that part of the network or server. If it is not a false alarm and it looks like bad behavior, then it goes to step 3. Typically, the person running is more detailed and technical. They do forensic analysis. And they see all the moving bits: communication and what happened. They know the anti-tactics, tactics and procedures (TTP). They are really good at spotting an opponent in the environment.
When you are looking for a third party incident response and support agreement, you need to know the skills of what you do as a company. Then you contract for Tier 2 or Tier 3. They are going to come and support. Service level contracts are crucial. What are you expecting? The more you want, the more you are going to pay. Do you want someone on the site? That’s right, but you pay more for it. If it is far away, it will be less.
It depends on what you want and how quickly you want it and what the quick response team will do for you.
What gaps should be filled in incident response plans?
I have seen some very robust ones. And then I saw some where I think they didn’t really understand what they wanted. They did not write strong SLAs. They really expected the team to work in 12 hours or five hours or on weekends. Sometimes, if it’s not clear in the contract, we don’t see it enough. Maybe they haven’t talked enough about that tier-1, tier-2, tier-3 response. Maybe they thought they were contracting for Tier-3 support, but they end up getting Tier 1 and Tier 2.
Companies have called us when the response to their incident has not happened properly. He was in panic mode. Things were not going well. They called us and luckily, we have a very strong cyber security practice. We weren’t able to help them respond to the incident and stop it, we were able to help them come in and re-architect their system, which we always do. You will never be better off if you don’t do things differently. So, let’s sit back and re-architect. We stay there behind the initial response.
I really want people to call us before the event. But it’s hard to get someone’s attention until it actually happens.
How much does it cost to ensure priority? How do third-party providers create their range of support based on how they charge?
It really depends on the size of the company and the scope of the deal. Not all are the same size. How big is your organization? How hard will it be for me to get inside? If it is a small company, the incident response will be very easy for the company to come and help. If it is a multinational corporation, it will take time because you have no idea what they have done and what they have done. Larger companies may have really good tier-1 or tier-2 support. They just need tier 3. They may only need a specific part of the response.
Service level contracts are more detailed and specific to tiers. They may include response times – they can come to you immediately and provide adequate triage support. We also offer things like tabletop exercises, playbooks and threat intelligence feeds. What are people looking for in the world of economics or health or energy? What are the bad actors pursuing in those fields? This will help you figure out where to focus your defenses.
How do renegotiation processes usually take place? What should the company keep in mind when entering these discussions?
This is really about understanding what the company has and what capabilities they need to enhance. Maybe they have enough smart people, but they don’t have enough. Maybe it’s about the increase in their workforce. There are people who live and breathe the reaction of the incident. He is usually not just another employee in the company. Some big companies definitely have those capabilities. But if they don’t exist, make sure your contracts have an account for them.
If you don’t get what you want, you renegotiate. It’s coming to those SLAs. It is not a very expensive endeavor to get someone to come and help you develop your incident response plan and write your SLA. So make someone smart and help you.
Are there qualities that companies should look for in a provider? Any red flags, right in the service or at the point of contract negotiation?
There is no such thing as a good list and a bad list. If you are looking for someone, I ask the company who they are working with when they have an event. Most companies have cyber insurance. Most cyber insurance companies actually have a list of incident response agencies, and you need to use one of the people from their list. That’s not normal.
What should the company look for in selecting backup providers? And how do these agreements intersect with agreements with the main supplier?
I don’t think having someone on your contact list is a bad idea if something goes mad. But if you have a really good service level agreement with your main provider, I think that’s their responsibility. They need to figure out how to resource it.
Should companies negotiate penalties for a service not provided during a security program?
Absolutely. That’s why those SLAs are so important. And they are legally bound. If someone does not meet the service level agreement you put in, you can go behind them and be fined.
Do companies now need to lookout for specific issues with their third-party suppliers before the Ukraine crisis?
We have seen too much volume. This should be a warning hour for people. This is true. It can really impact our company. If you are attacked, you will be attacked. People don’t talk much about it. This is not great marketing. But this has been going on for a long time.
If you don’t have an incident response plan and you don’t have a decent cybersecurity architecture, now is the time. You won’t regret it. You never say, “Oh, that was a waste of money.” And if that happens, you say, “That’s the best job we’ve ever done.”
See Colonial Pipeline. He was down for a week. It cost them millions and millions of dollars. As they try to figure out how to respond to it, the clock is ticking on the dollars they are losing. It’s pretty much that way for every company. They want to stop everything until they figure out what’s going on. So it’s not business as usual. They are not communicating with customers; Customers are not sending them work.
So now is the time. And if you have SLA, watch it again. Make sure it’s good enough.
What to read next:
Cyber resilience: What it is and how to build it
Measuring the resilience of cyber security and why it matters
The Ukraine crisis, the rise of cyberattack threats raises the case for zero trust