Marianne Bailey has advised the highest levels of government during some extraordinary cyberattacks, from the Office of Personnel Management breach to NotPetya. Now cybersecurity practice leader for Guidehouse, Bailey’s service as Deputy National Manager for National Security Systems (NSS) and Senior Cybersecurity Executive for the National Security Agency gave her unique insight into the ways that cyberattacks propagate and affect both public and private enterprise.
Here, she talks to Richard Pallardy for InformationWeek and provides detailed advice on how to renegotiate agreements with third-party providers, ensuring the highest possible level of response to an attack.
Talk to me a little bit about incident response simulation tests. How are they best run? What kinds of gaps should they be probing?
It’s really good to do tabletop exercises. They’re very, very effective when it comes to incident prevention and incident response. Companies should do them every single year.
There are so many people that have a role in response that you don’t typically think of. You think the IT department has to fix it. Maybe the chief information security officer has a role in it. Well, guess what? So does the CIO, the CEO, the CFO, and the CPO. These people need to know their roles when the chaos comes. During the chaos is not the time to figure it out.
I was at the Pentagon when there was a huge theft of Office of Personnel Management (OPM) records by the Chinese — 24.5 million people’s records, 80% of them Department of Defense people. The Secretary of Defense decided we were going to do the response action. It was the first time we’d ever responded to an incident like that. It became incredibly political. We were briefing Congress. We were in the White House talking to them. I met our CPO for the Pentagon and the DOD for the first time during that ordeal. It was obvious that it was going to cost a lot of money. But we had to figure out where we were getting the money and how we were going to respond to it.
The White House decided they wanted us to send out paper letters to every person affected. Just the logistics of finding them was a whole ordeal. My team came to me one day and said, “We need another $500,000.” I’m like, “What is that for?” Stamps. We had to find somebody who could print the letters. What organization has these massive printing presses and can print these letters? We had 30 days to do all this, by the way.
Unless you’re involved in something like that, you don’t realize all the different pieces and parts involved. Every day, I was just learning and learning and learning. Running tabletop exercises really helps a lot. You do mock drills. We’ve had an incident. This is what’s happening when we encounter it in real life.
What types of escalation channels should be kept open to ensure an effective response? Are there channels that you often see that are neglected? Which parts of the business need to communicate that typically don’t?
There needs to be a high-level team in the company that’s handling the incident. They need to meet often. Then they force multiply. There is no single person who is responsible for responding to the attack. You might have the CEO and the CFO and the CIO and probably general counsel on a call every day and talking about what they are learning. Each one of them does their part in that response action. So if, say, a letter is to be sent out a legal counsel is going to look at the wording on it. If there are internal matters to be sorted out, that’s probably between the CEO and the CIO.
Oftentimes a CISO doesn’t have the communication with the C-suite that they need to have. When they’re communicating with the C-suite, the better the whole incident response is going to go.
What should companies look for in reviewing their third-party incident response support agreements?
Every company is very different. Some of them have pretty sophisticated incident response teams and some of them don’t. It’s really up to them to lay out the roles and responsibilities.
With tier-1 support, you have someone watching the stuff that is running. Their setup alerts them to the fact that something bad happened. They’re gonna turn into a tier-2 person and say, “Hey, can you check this out and see if it really is something bad?” And so the tier-2 person takes a look. Maybe they’ll take a look at that laptop or that part of the network or a server. If it wasn’t a false alert, and it looks like bad behavior, then it goes to tier 3. Typically, the person running that is much more detailed and technical. They’ll do a forensic analysis. And they look at all of the bits that are moving: the communication and what happened. They know adversary tactics, techniques, and procedures (TTP). They’re really good at tracking the adversary in the environment.
When you’re looking for a third-party incident response, and support agreement, you have to know what you, as a company, have the skills to do. Then you contract out for tier 2 or tier 3. They’re going to come in and provide support. Service level agreements are critical. What are you expecting? The more you want, the more you’re going to pay. Do you want somebody on site? That’s fine, but you pay more for it. If it’s remote, it’s going to be less.
It just depends on what you want and how quickly you want it and what you want the instant response team to do for you.
What gaps should be filled in incident response plans?
I’ve seen some that are very, very robust. And then I’ve seen some where I think they didn’t really understand what they were going to need. They didn’t write strong SLAs. They really expected the team to be there in 12 hours or five hours, or to work on weekends. Sometimes, if that’s not explicitly in the agreement, we haven’t quite seen that. Maybe they haven’t talked specifically enough about that tier-1, tier-2, tier-3 response. Maybe they thought they were contracting for tier-3 support, but they end up getting tier 1 and tier 2 instead.
We have been called in by companies when their incident response wasn’t going well. They were in panic mode. Things weren’t going well. They called us and fortunately, we have a very robust cybersecurity practice. Not only were we able to help them respond to the incident and stop it, we were able to come in and help them re-architect their system, which is what we always almost always end up doing. You’re never going to be in good shape if you don’t do things differently. So, let’s sit down and re-architect. We end up staying there past the initial response.
Really I would like people to call us before they have an incident. But it’s hard to get somebody’s attention until it actually happens.
What is the cost of ensuring priority? How do third-party providers typically structure their tiers of support in terms of how they charge?
It really depends on the size of the company and the scope of the contract. There is not a one-size-fits-all. How big is your organization? How hard is it going to be for me to come in? If it’s a small company it’s going to be pretty easy for an incident response company to come in and help. If it’s a multinational corporation, it’s going to take time because you don’t know what they’ve gotten into and what they’ve done. Large companies may have really good tier-1 or tier-2 support. They may only need tier 3. They may only need only a certain part of the response.
Service level agreements just are more detailed and very specific to the tiers. They may include the response time — they might come to you immediately and provide a lot of triage support. At the higher tier we’ll also provide things like tabletop exercises, playbooks, and even threat intelligence feeds. What are people in the financial or healthcare or energy worlds seeing? What are the bad actors going after in those sectors? That helps you figure out where to focus your protection.
How do renegotiation procedures usually play out? What should a company keep in mind when entering these discussions?
It’s really about understanding what capabilities a company has and what capabilities they need to augment. Maybe they have some pretty smart people, but they just don’t have enough of them. Maybe it’s about augmentation of their workforce. There are people who live and breathe incident response. They’re not typically just another employee in the company. Some big companies certainly have those capabilities. But if they aren’t present, make sure that your agreements account for them.
If you’re not getting something you need, you renegotiate. It’s going to come down to those SLAs. It’s not a very expensive endeavor to have somebody come in and help you develop your incident response plan and helping you write your SLA. So just get somebody smart to come in and help you.
Are there qualities in a provider that companies should look for? Any red flags, either in the services themselves or in the contract negotiation stage?
There’s not like a good list and a bad list. If you’re looking for somebody, I would ask a company that you work with who they used when they had an incident. Most companies have cyber insurance. A lot of cyber insurance companies actually have a list of incident response firms, and you have to use one of the people off their list. That’s not uncommon.
What should a company look for in selecting a backup provider? And how do these agreements intersect with the agreements with the main provider?
I don’t think it’s a bad idea to have somebody in your contact list just in case something crazy happens. But if you had a really good service level agreement with your main provider, I think that’s their responsibility. They have got to figure out how to resource that.
Should companies negotiate penalties for service that isn’t provided during a security event?
Absolutely. That’s why those SLAs are very, very important. And they’re legally binding. If somebody’s not meeting that service level agreement that you laid out, you can go after them and there will be penalties.
Should companies be on the lookout for particular issues with their third-party providers now, as opposed to before the Ukraine crisis?
We’ve seen a lot more volume. It should be a wakeup call to people. This is real. It can really impact our company. It’s not if you’re gonna get attacked, it’s when you’re gonna get attacked. People don’t talk about it a lot. It’s not great marketing. But it’s been going on for a very, very long time.
If you don’t have an incident response plan, and you don’t have decent cybersecurity architecture, now’s the time. You won’t regret it. You’re never gonna say, “Oh, that was a waste of money.” And if it happens, you’re gonna say, “That was the best thing we ever did.”
Look at the Colonial Pipeline. They were down for a week. That cost them millions and millions of dollars. While they’re trying to figure out how to respond to it, the clock is ticking on the dollars they’re losing. It’s pretty much that way for every company. They want to stop everything until they figure out what’s going on. So it’s not business as usual. They’re not communicating with customers; clients are not sending them work.
So now’s the time. And if you do have an SLA, look at it again. Make sure it’s good enough.