Accenture Security’s Bryan Singer reveals how incident response helps organizations connect the dots and close the gap

While improving operational resilience—a firm’s ability to prevent, respond to, recover, and learn from operational disruptions—has been a growing focus among the financial, industrial, manufacturing, and energy sectors, the global pandemic has put resilience on the agenda of almost every company. Whether caused by a power outage, natural disaster, or supply chain shortage, service disruptions happen. Having a proactive approach help ensures a company is prepared and experiences little to no impact when a disruption occurs.

So why should security be treated any differently?

With hundreds of incident response engagements to his credit, Bryan Singer, who represents our OT capabilities within our Global Incident Response practice, knows more than a thing or two about what works and doesn’t work when it comes to successfully recovering from security-related disruptions.

His presentation, “Proactive & Reactive OT Incident Response,” is full of insights and examples of why companies should ditch their reactive, “wait until something happens” mode for a proactive approach. Particularly in light of the hard truth that, today, no company is immune to a data breach, operational disruption, or full-scale ransomware attack. They are happening every day, around the globe.

Unfortunately, too many companies operate their incident response activities in a reactive manner. Yes, you may be performing patch management, log monitoring, and have a SIEM. But those activities are primarily focused on rectifying immediate incidents and preventing repeat attacks or technology disruptions from happening in the future.

On the other hand, a proactive approach focuses on identifying and preventing incidents from ever becoming a threat. As Bryan shares, when companies get hit the final outcome is more favorable for those who have proactive measures in place. To learn what those proactive measures are, please take a moment and watch Bryan’s presentation. Here’s a clip:

<<< Start >>>

Proactive and reactive IR—What you need to know

Accenture Security's Bryan Singer reviews an OT Cybersecurity Incident Preparedness Checklist to help you plan your incident response processes. Watch the full session here.

<<< End >>>

Transferable takeaways for your industry

 

Michelle DeLiberty
Managing Director, NA Chemicals Security Lead
on Chemical

"We have to get things back up and moving. And the only way you're gonna do that effectively is if you have worked all these plans out in the beginning." - Bryan Singer

Business Continuity and Crisis Management are much more than disaster recovery and fail over. To be effective you should enable teams to move efficiently and with speed at decision points. Make sure your continuity and contingency plans enable quick scaling of the organization to accelerate the recovery, especially if rebuild efforts are required. Build resilience into your operations and supply chain by combining Cyber Threat Intelligence with business operations to safeguard those assets most critical to operations and/or safety, particularly with chemicals of interest (COI).

<<< End >>>

<<< Start >>>

Salwa Rafee
Managing Director, Global Healthcare Security Lead
on Healthcare & Life Sciences

"What is the cost of doing nothing?" - Bryan Singer

For the healthcare and life sciences industry, the cost of doing nothing is significant. Bryan cites some common reasons he hears from industry folks when pressed on why they don’t have an incident response (IR) plan—responses I’ve heard often in Healthcare: “Can't happen to us.” “Won't happen to us.” “Nobody would attack us.” “We're too busy to put one together.”

No matter how legitimate these reasons, the attack landscape is such that hospital systems and payer/providers should build an IR plan, rehearse it so they have the muscle memory to execute it, and revise it often with lessons learned along the way.

<<< End >>>

<<< Start >>>

Paul Brownlee
Managing Director, Global Industrial Security Lead
on Manufacturing

"...you may be able to delegate responsibility, but fundamentally, you're accountable." - Bryan Singer

Being overly dependent on vendors can lead to a false sense of cyber resiliency. Operators know which vendors to call when a single system fails, but if it all goes wrong, no matter how many third-party vendor contacts you have, you need someone on the ground that understands how all the systems tie together. Each vendor can take responsibility for their respective system but it’s the operator who is ultimately accountable for their systems, for incidents, and for the incident response process.

Proper and effective incident management requires orchestrating all of the components and business groups that have to come together post event. There's a lot in manufacturing that could be done to figure out what that tapestry looks like before you have to pull offense. A few such items include:

  • Document site-level network architectures, including how they tie to IT. Determine which systems exist, who is responsible for each system, and who is accountable on site.
  • Work through scenario-based tabletop exercises, make decisions, and write them down.
  • Consider developing a master incident response plan that sits with the overarching IT team and individual incident response supplements that govern each site.

<<< End >>>

<<< Start >>>

Luis Luque
Managing Director, Global OT Security Lead
on Oil & Gas

"Having worked probably somewhere around 200 incident responses over the many years … we've seen a really large difference in … an organization that is very well prepared for that worst day versus ones that are purely reactive." - Bryan Singer

Three possible areas to fine tune preparations for more effective response and recovery:

  1. Don’t overlook global alignment of vendor response support. Whatever we do for incident response (IR) should be coordinated and supported by vendors, both domestic and international. Create face up models with first tier vendors to determine what vendor firms can support response globally. Often capabilities vary from vendor to vendor and geolocation to geolocation within a single vendor.
  2. Prioritize recovery objectives and communicate those to your IR team. What’s your organization’s IR priority? In the resources industry it’s often “get back up and running as soon as possible.” Is your IR team on the same page? Responders tend to have a different lens. They may prioritize looking at root cause analysis, attribution, and forensics when your team’s priority is to get back up and running. Structure a comprehensive IR plan that prioritizes what’s important to your business.
  3. Invest in multiple IR partnerships now. Incidents are on the rise and everyone is busy – including IR firms. Crippling, widespread supply chain compromises leave responders spread thin and those without paid IR retainers in a precarious position. To protect yourself:
    • Secure paid retainers.
    • Consider having several retainers across multiple vendors.
    • Exercise the relationships for threat hunting and tabletop workshops.

    <<< End >>>

    <<< Start >>>

    Rich Mahler
    Managing Director, Global Utilities Security Lead
    on Utilities

    "A lot of the (security vendor) solutions are evolving into top-tier solutions. It's getting difficult to choose a bad product these days. Now there may be some that may be more for purpose … However, it's still very, very easy to choose a bad implementation, right?" - Bryan Singer

    What we're seeing in successful utility security programs is that in addition to having good tools, the implementation and architecture is well planned across IT, security, and the business units (Generation, Transmission, and Distribution). They’ve also invested in their people by clarifying roles and responsibilities, processes and procedures, and training. As a result, when something abnormal happens it is detected and can quickly be put in context to decide if it is a regular maintenance action or an adversarial action. It also confirms everyone is clear on what the action plan is to respond.

    <<< End >>>

    Find out how you can leverage our OT Cyber Fusion Center to build a proactive OT incident response plan >

     

    Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

    Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

    Copyright © 2021 Accenture. All rights reserved.

     

    Jim Guinn

    Managing Director – Accenture Security, Strategy & Consulting Lead

    Subscription Center
    Subscribe to Security Blog Subscribe to Security Blog