Insights: Article

Cyber Incident Response and Little League Baseball: It’s all about the Follow Through

By Isaac DeLaGarza

June 13, 2017

“Follow through”—we hear that phrase often in sports. For me, it was in youth baseball. I wasn’t a very good player, but the act of “following through” made the difference for me. I remember how awkward it felt to raise my right elbow while in the batting stance. This is where I learned to keep the bat off of my shoulder too. The most challenging for me was to pivot and rotate my foot. This is where you turn your back foot to compliment the swing so that you don’t fall down while taking a crack at the ball. Sequentially performing a variety of different mechanisms, regardless of making contact with the ball, that’s what we mean when we say “follow through.” I fell a lot at first, but by executing these individual movements, I was able to hit more than I fell by the end of the season. Good job coach!

In the realm of cybersecurity, “following through” before and after a cyber incident has a similar meaning: performing a set of mechanisms that improve your odds of preventing cyber incidents. As a computer incident responder, I am able to make observations on the processes that can help improve prevention percentages. Taking these observations, best practice models, real-world experiences and documented standards into consideration help people like me make educated suggestions, much like coaches do.

What You Need to Know

Information is valuable. To some degree, all information has a price. Whether it be to manipulate it, sell it on the black market, steal it or hold it for ransom, the data traveling through our networks is the target for hackers.

Preventing cyber incidents is definitely the goal, but the prevention-talk is commonly held out of context. Firstly, a cyber incident response effort can quickly shift out of focus when the response purpose hasn’t been planned and designed in-line with organizational goals. That means system down-time expectations and other cyber incident contingency plans have to be established. Confronting cyber incidents without this type of executive support is like taking the batter’s box away from home plate. In most cases this response model tends to focus heavily on a reactive approach to the incident, leaving to the wayside important investigative information that can be used to mature the response capability and instead focuses solely on bringing a system back online.

Secondly, think of cyber incident prevention as a defensive playbook. The more games you play, the thicker your defensive playbook becomes. Having a playbook doesn’t guarantee winning games, but creating a living and evolving resource such as a playbook enables confronting the opponent in an organized and systematical manner. Cyber incident prevention isn’t something you buy and plug into the network, it is an arsenal of knowledge that organizations grow and nurture into something consistent and effective.

Taking a Systematical Approach

Understanding that cyber attacks are never-ending and ever-changing, taking the “no downtime is acceptable” stance can be counter-productive for cyber incident response. Cyber incidents have many implications, some of them in the legal realm. Responding to cyber incidents systematically ensures that the appropriate actions are taken. Handling cyber incidents isn’t a simple process, but establishing a cyber incident response methodology will greatly benefit an organization no matter its size. While every organization is different, a successful model consistently addresses the following elements in one way or another.

  • Organize1 - Defining purpose, assessing downtime impact, establishing the right people and obtaining the proper policies and procedures for incident response establishes a firm foundation for maturing and growing cyber incident response.
  • Prepare2 - It is important to establish a pattern of preparation, not only so that the organization is ready in the event of an incident, but also ensuring that information systems, networks and applications are secured to standards.
  • Detect & Analyze3 - One hundred percent of all major cyber incidents start out as events on a system. Establishing proper reporting channels, and identifying common cyber incident information will enhance the defensive playbook’s effectiveness.
  • Contain, Eradicate, and Recover4 with a purpose - Ensure the appropriate actions are taken by considering the purpose set forth by the organization’s legal, business, and otherwise executive stance for containment, eradication, and recovery of systems.

The Follow Through

Performing all of these to some degree will help overall cyber incident response effectiveness. This last point is the “pivot and rotate” part of the swing. It is one of the most elusive aspects of incident response and the most often omitted.

  • Post-Incident Activity5 - Learn and evolve processes, configurations, and documentation to reflect newly learned information enhancing prevention capabilities.

Leveraging newly learned information and evolving all of these key elements is the follow through. Understanding the current capability, evaluating its current effectiveness, and obtaining a custom roadmap that defines development milestones is truly stepping up to bat. Just like you would take advice from your coach back in youth baseball, you can start to follow through by taking a free self-assessment today.



[1] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 6-19, 1. National Institute of Standards and Technology. 2012

[2] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 21-23, 1. National Institute of Standards and Technology. 2012

[3] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 25-33, 1. National Institute of Standards and Technology. 2012

[4] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 35-37, 1. National Institute of Standards and Technology. 2012

[5] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 38-41, 1. National Institute of Standards and Technology. 2012

Http://dx.doi.org/10.6028/NIST.SP.800-61r2

Latest Insights

November 16, 2018
Video
If your business sells or operates in more than one state, it’s important to understand the concept of nexus. Depending on how you’re earning revenue, having nexus could impose a variety of taxes, which vary state to state. Learn more in our…
November 15, 2018
Article
Until recently, many businesses weren’t overly concerned about sales tax. They knew they needed to collect and remit in the state in which they resided, but beyond that, their compliance burden was limited.
November 12, 2018
Article
This insight explores what dealerships can expect from the proposed section 199A regulations under tax reform.
November 8, 2018
Article
Are you a business taxpayer with annual gross receipts of $25 Million or less? If so, you may be eligible to take advantage of new Small Taxpayer Safe Harbors that could generate significant tax savings and simplify your tax returns in future years!
November 8, 2018
Article
Considered the most significant tax code overhaul in over three decades, the Tax Cuts and Jobs Act passed in 2017 includes provisions affecting both individuals and businesses.
November 7, 2018
Recorded Webinar
State and local sales tax compliance is always evolving, making it important to stay up-to-date on changes affecting your tax liability and responsibilities. This session will cover what you need to know regarding the recently enacted state and…
November 7, 2018
Article
“Why is my portfolio underperforming the market?” This question may be on your mind.
November 5, 2018
Article
Identify your implementation methodology. There are four practical expedients available. We'll explore each option.
November 5, 2018
Article
Deeper dive into ASU 2016 liquidity.