Insights: Article

Cyber Incident Response and Little League Baseball: It’s all about the Follow Through

By Isaac DeLaGarza

June 13, 2017

“Follow through”—we hear that phrase often in sports. For me, it was in youth baseball. I wasn’t a very good player, but the act of “following through” made the difference for me. I remember how awkward it felt to raise my right elbow while in the batting stance. This is where I learned to keep the bat off of my shoulder too. The most challenging for me was to pivot and rotate my foot. This is where you turn your back foot to compliment the swing so that you don’t fall down while taking a crack at the ball. Sequentially performing a variety of different mechanisms, regardless of making contact with the ball, that’s what we mean when we say “follow through.” I fell a lot at first, but by executing these individual movements, I was able to hit more than I fell by the end of the season. Good job coach!

In the realm of cybersecurity, “following through” before and after a cyber incident has a similar meaning: performing a set of mechanisms that improve your odds of preventing cyber incidents. As a computer incident responder, I am able to make observations on the processes that can help improve prevention percentages. Taking these observations, best practice models, real-world experiences and documented standards into consideration help people like me make educated suggestions, much like coaches do.

What You Need to Know

Information is valuable. To some degree, all information has a price. Whether it be to manipulate it, sell it on the black market, steal it or hold it for ransom, the data traveling through our networks is the target for hackers.

Preventing cyber incidents is definitely the goal, but the prevention-talk is commonly held out of context. Firstly, a cyber incident response effort can quickly shift out of focus when the response purpose hasn’t been planned and designed in-line with organizational goals. That means system down-time expectations and other cyber incident contingency plans have to be established. Confronting cyber incidents without this type of executive support is like taking the batter’s box away from home plate. In most cases this response model tends to focus heavily on a reactive approach to the incident, leaving to the wayside important investigative information that can be used to mature the response capability and instead focuses solely on bringing a system back online.

Secondly, think of cyber incident prevention as a defensive playbook. The more games you play, the thicker your defensive playbook becomes. Having a playbook doesn’t guarantee winning games, but creating a living and evolving resource such as a playbook enables confronting the opponent in an organized and systematical manner. Cyber incident prevention isn’t something you buy and plug into the network, it is an arsenal of knowledge that organizations grow and nurture into something consistent and effective.

Taking a Systematical Approach

Understanding that cyber attacks are never-ending and ever-changing, taking the “no downtime is acceptable” stance can be counter-productive for cyber incident response. Cyber incidents have many implications, some of them in the legal realm. Responding to cyber incidents systematically ensures that the appropriate actions are taken. Handling cyber incidents isn’t a simple process, but establishing a cyber incident response methodology will greatly benefit an organization no matter its size. While every organization is different, a successful model consistently addresses the following elements in one way or another.

  • Organize1 - Defining purpose, assessing downtime impact, establishing the right people and obtaining the proper policies and procedures for incident response establishes a firm foundation for maturing and growing cyber incident response.
  • Prepare2 - It is important to establish a pattern of preparation, not only so that the organization is ready in the event of an incident, but also ensuring that information systems, networks and applications are secured to standards.
  • Detect & Analyze3 - One hundred percent of all major cyber incidents start out as events on a system. Establishing proper reporting channels, and identifying common cyber incident information will enhance the defensive playbook’s effectiveness.
  • Contain, Eradicate, and Recover4 with a purpose - Ensure the appropriate actions are taken by considering the purpose set forth by the organization’s legal, business, and otherwise executive stance for containment, eradication, and recovery of systems.

The Follow Through

Performing all of these to some degree will help overall cyber incident response effectiveness. This last point is the “pivot and rotate” part of the swing. It is one of the most elusive aspects of incident response and the most often omitted.

  • Post-Incident Activity5 - Learn and evolve processes, configurations, and documentation to reflect newly learned information enhancing prevention capabilities.

Leveraging newly learned information and evolving all of these key elements is the follow through. Understanding the current capability, evaluating its current effectiveness, and obtaining a custom roadmap that defines development milestones is truly stepping up to bat. Just like you would take advice from your coach back in youth baseball, you can start to follow through by taking a free self-assessment today.



[1] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 6-19, 1. National Institute of Standards and Technology. 2012

[2] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 21-23, 1. National Institute of Standards and Technology. 2012

[3] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 25-33, 1. National Institute of Standards and Technology. 2012

[4] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 35-37, 1. National Institute of Standards and Technology. 2012

[5] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 38-41, 1. National Institute of Standards and Technology. 2012

Http://dx.doi.org/10.6028/NIST.SP.800-61r2

Webinar
Join us to learn more about Fixed Asset Planning and Cost Segregation on March 20.

Latest Insights

March 21, 2019
Article
Arizona has filed a lawsuit against California over its “doing business” tax. 
March 21, 2019
Firm News
The union adds a new office and state to the regional CPA firm and adds additional ERP talent to their growing NetSuite practice.
March 20, 2019
Infographic
If your answer to this question is yes – or you are considering doing business internationally – you probably know there are many fine details that need your attention. Some questions to ask yourself: Do you have related parties in different…
March 20, 2019
Article
Ready to think about what life is like post-business? If a transition is on the horizon, we offer seven steps to help you create a successful succession plan.
March 20, 2019
Article
The decision to transition your business is a big one, but there are a few questions you can ask to determine if you’re ready.
March 20, 2019
Article
Cyberthreats are a clear and present danger, and hackers can target manufacturing and industrial companies for trade secrets, business plans and more. Are you protected?