Planning is critical to information security. Ask any experienced officer if they ever seen an all-encompassing operation plan and they will tell you that they have never seen a plan that endured the first enemy contact. This is true for cyber incident response.
No matter how detailed and comprehensive your incident response plan and play books are or how extensive your team’s experience and training is, everything changes when you are engaged by a real-life threat actor.
I have no doubt that your incident response team is highly professional and well trained and can perform the tasks at the reflex level. However, when the situation changes by a second and the success hangs by a thread, a leader cannot let tactical teams run the show given the limited visibility they may have by focusing on individual tasks.
It is up to a leader to change or realign tasks, pull in additional resources and request for support from other teams. It is hard enough to do when everybody is in the same building, but given the distributed nature of teams it becomes next to impossible.
Enter a virtual situation room. One cannot rely on a conference call to manage an incident. Historical information is not tracked and many things get lost in context. A well organized visual aid with communication history and task tracking is required in a critical situation such as a critical security incident.
Such a tool is important both for leadership to support fast decision making and for all tactical team members. Not only it provides communication means with other members, teams, and leadership, but serves as a progress tracker and informational base to support the ongoing task execution.
A virtual situation room is not to be confused with a ticketing system. A ticketing system will feed data into a virtual situation room, just like other security information systems should, but it is incapable of providing a view into a fast-developing situation, nor can it support a collaboration between multiple team members or multiple teams.
A virtual situation room is the next layer that brings all the information feeds together and makes them available for collaborative effort.
As the incident is resolved and ready to be closed, every leader is faced with the dull and mind numbing task of writing up a report. For many of us this means reconstructing the timeline, decisions and actions from memory, after high pressure multi-hour exercises without a break or even sleep.
With a virtual situation room serving as an audit trail, reporting can be simplified by having a well documented timeline and task tracking, as well as a capability of auto-generating many report sections.
Virtual situation rooms are extremely useful during training exercises and war gaming, where you can review team actions to highlight shortcomings that need correction or to compare between red and blue team situation room notes when reviewing a war game exercise.
Exigence’s platform provides the virtual situation room, helping global incident response teams become more efficient and collaborative in the most critical situations. They would be happy to demonstrate how the platform can become an invaluable tool for your cyber leadership as well as front line operatives.
For more information about critical incident management, connect with Exigence on Twitter, LinkedIn, and Facebook. To read more about critical and cybersecurity incidents, check out one of our other blog posts.
About the Author:
Alexander Poizner is an information security expert, leader and entrepreneur. Beginning his technology career at the age of 15 as one of software developers on Human Genome Project, Alexander has experienced the evolution of cybersecurity threats and technologies since the late nineties.
Specializing on security architecture, strategy and management, Alexander worked in large retail, e-commerce and professional services organizations before launching his own professional services company. After a merger with IntelliGO Networks, Alexander remained in the role of VP of Operations, leading MSSP, Engineering and PMO teams.
He currently works on his new security venture, Parabellyx and advises security start-ups on product strategy. He also researches effects of cognitive biases on security analytics and incident response.