Security Experts:

Navigating a Way Out of the Lion's Den Before, During, and After Incident Response

In my previous column, I offered tips on leveraging security metrics in order to stay out of the lion’s den. It goes without saying that it’s always best to avoid the lion’s den whenever possible. In fact, much of the security advice out there is centered around this philosophy.  But what should one do if they have no choice but to put themselves in the lion’s den?  What happens if, for incident response purposes, we need to leave our comfort zone and enter a dangerous environment?

I’d argue that the best strategy for surviving a dangerous environment is to stay strong, to engage with the negative forces in the environment only when necessary, and to let that environment affect you as little as possible. When the security of our organization depends on us leaving our comfort zone, how can we ensure that we accomplish what we set out to do without putting the organization at additional risk?  Here are some tips to help an organization cope with and navigate its way out of the lion’s den before, during, and after incident response:

1. Stay focused:  When you need to enter the lion’s den, remember why you’re there. Don’t get distracted. Get in, complete the mission, and get out.

2. Realize where you are: The aptly titled film says it all: “The Devil Wears Prada.” When in the lion’s den, identify where you are. Don’t let naivety or cockiness lure you into a false sense of security or over-confidence. Beware of getting drawn in to tasks or activities that are irrelevant to your objectives and, in fact, may work against them.

3. Know your safe spots: In an unsafe environment, knowing where the safe spots are is critical. Know where you can and cannot find the people that can help you, the processes and procedures that you need to follow or understand, and the data you need to assess and analyze the situation.

4. Know who you can trust: “Knowledge is power” and “Information is power” are oft-used phases. The phrases themselves are quite poignant.  When we provide information to people who cannot be trusted, we are arming them with ammunition that they can later use against us.  Because we need to collaborate and share information with those we can trust in order to be successful, we need to know who is within the circle of trust and who is not.

5. Know how to go the distance: How do you get somewhere that seems too far away? One step at a time. Identify and mark your destination. Set goals to get you there and work to topple one goal after another. If you stay on track, you’ll get to where you need to be step by step.

6. Know your tolerance for damage: You may have to incur a bit of risk or soak up some damage in order to complete your mission. Understand how much damage you are willing to incur in order to finish the job. If you’re within that range, keep at it and stay strong.  If you pass your threshold, the time has come to turn back.

7. Know what you are willing to risk:  While risk can be minimized, mitigated, and managed, it can never be eliminated. Understand what risks you’re willing to take as you work towards your goals.  If you find yourself swimming in all kinds of risks you didn’t anticipate or account for, it may be time to reevaluate your course or even turn back.

8. Know when to change course: Measure your progress and the execution against your objectives as you go along. Keep a keen eye on risk as well - particularly since risk is something that is not always possible to understand or estimate from the outside.  If you are making good progress, and the benefits appear to outweigh the risks, you’re likely on the right track.  In that case, be persistent and don’t give up. If the risks begin to outweigh the benefits or you’re not progressing or executing well against your objectives, it may be time to adjust course. Take a step back, assess the situation, and decide on the right path. It may mean adjusting ever so slightly, changing the course radically, or even bailing entirely.

9. Assess all damage: Assessing damage before, during, and after your time in the lion’s den is extremely important.  This includes damage that may not be immediately apparent - damage that is beneath the surface.  This helps to realize the overall cost to the organization and aids in understanding the response and recovery required.

10. Take lessons learned: No trip to the lion’s den is complete without lessons learned. These lessons help us hone and improve our incident response procedures for the future. Further, they allow us to improve our protective and preventative measures to ensure we don’t find ourselves back in the same lion’s den again. As the poet and philosopher George Santayana noted, "Those who cannot remember the past are condemned to repeat it."

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.