The concept of cyber resilience is born out of recognition that all organizations are likely to be impacted by a cyber-incident at some stage, given the rising intensity and sophistication of attacks.
This means extensive planning and preparation is needed to respond and recover when an incident does occur, to ensure substantial financial and reputational damage is avoided.
Such preparation is not just a commercial necessity, but also a legal one, with a range of new regulations emerging relating reporting requirements when an incident happens. This includes recent US Securities and Exchange Commission (SEC) mandates on publicly listed firms to disclose material cyber incidents rapidly.
Jason Manar, CISO at software company Kaseya, is able to view the topic of cyber incident response through several lenses.
In his current role, Manar is involved in protecting his company, as well as helping the security of customers using Kaseya software.
Prior to joining Kaseya in 2021, Manar worked at the FBI, where he became a Supervisory Special Agent (SSA) in the Cyber Division. In his time at the FBI he investigated cyber incidents and worked with the private sector during their recovery from attacks.
Infosecurity recently spoke to Manar on best practice responses to cyber-incidents, and how to be as transparent as possible to stakeholders during an ongoing attack.
Infosecurity Magazine: What advice do you have for organizations to reduce the risk of being impacted by cyber-attacks?
Jason Manar: I’ve talked to a lot of industries and individual end user institutions of all sizes. One of the common themes is that a lot of organizations are not aligning to a single framework, whether that’s the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) or ISO 27001.
These frameworks allow you to have a roadmap, as it can get overwhelming for practitioners that don’t have some type of guide and/or framework.
Also, we strategically need to think how we’re going to be better tomorrow. Oftentimes organizations are firefighting and only see the one thing that is in their face instead of thinking strategically.
"Oftentimes organizations are firefighting and only see the one thing that is in their face instead of thinking strategically"
My advice is aligning to a framework, executing that, and having a plan for what your strategy is going to be not only today but over the next week, month and year.
IM: What guidance do you have around mitigating software vulnerabilities?
JM: For me, vulnerability management is a matter of process where you are upgrading hardware and software, and making sure that they are patched on a regular basis.
That’s why you’ll often see smaller companies wanting to automatically update every time a patch comes out. For larger companies and institutions that are reliant on legacy equipment it is much harder. They often have expensive machinery on their network, such as MRI scanners, that are still working but no longer supported.
There are going to be items within your environment that may not be supported, and you have to find ways to get them isolated and ensure there’s no chance that it can be a vector for a potential intrusion.
There has to be a process, you have to know what assets you have and what state they are in, and then make sure that they are all updated and secured in such a way that they can’t impact the rest of your environment.
IM: In your role at the FBI, what did you observe to be the main shortfalls organizations have in their incident response plans?
JM: It was preparedness. That’s why we spent so much time in the FBI going over tabletop exercises. People would have tabletop exercises and think that they were prepared but they were often going through the motions. I’m a firm believer that you get out of any scenario what you put into it.
Although security teams coordinate with legal, marketing, communications and the boardroom on a regular basis, there is a different level of pace of communication when it comes to a cyber event.
You want to try to mimic that intensity during tabletop exercises. As a CISO, my desire is to make that day or half day exercise as difficult as possible, where we have to think about things that would potentially come up during an event that we haven’t thought about before.
You will never be able to emulate every potential scenario of an event. You’ll get close but there’s always something that’s going to come up that’s unexpected and you have a better chance of being successful at whatever that unexpected matter is if you have practiced and thought about these things beforehand.
At Kaseya we incorporate a cyber range, so we have practitioners going through a scenario where they are hands on a keyboard in the cyber range while the executives meet and start going through the intelligence that is being brought back, and then making decisions on that information.
You want to get the whole team involved as much as you can. It can’t be a ‘check-the-box’ mentality, you have make sure that all individual contributors are contributing to that tabletop exercise.
IM: How can businesses increase transparency during a cyber-incident?
JM: Any time an incident is ongoing, information is your friend. Regardless of how much information you provide, some people always want more. If too little information is provided, people will always jump to conclusions.
"Any time an incident is ongoing, information is your friend"
Lean towards allowing the facts to be out there and letting the customer make their own decision. During emergency situations at Kaseya before I joined, the company had no problem taking its entire sales floor off from selling and turn them into a communications team. This enabled Kaseya to communicate what was going on in with regard to the breach in real time.
Did Kaseya always communicate perfectly? No. But if history is any determination of what will happen going forward, Fred Voccola [CEO of Kaseya] has made it clear that he is going to be as transparent as possible with all of our customers to ensure that they have the information they need to make decisions for their downstream customers.
There are also certain governmental agencies and entities that are getting better about magnifying communications when there is an event for public institutions. I would like to think that’s directly correlated to some of the feedback and some of the partnerships that we have had with the public sector.
IM: What are your biggest concerns within cybersecurity today?
JM: My biggest concerns have always been the ‘unknown unknowns.’ Let’s say the company doesn’t have a process for finding out or knowing if a piece of hardware or software has been added to their environment. That would be an unknown unknown.
We are always looking to put processes in place that discover any unknown unknowns in the shortest amount of time possible. Unknown unknowns can also be geopolitical events and various other global crises that are going on.
Try to stay ahead of that and be predictive about what those events may be so you can have a little bit of preparation.
Almost everyone I talk to tells you about how hard it is to retain cybersecurity talent, they will tell you about how hard it is to recruit and then develop that talent.
The unknown unknowns and getting people in the right positions are the two things I am constantly top of mind thinking about.
IM: What are the biggest successes that you think the cybersecurity industry is experiencing today?
JM: The biggest success is the fact that people are talking about cybersecurity. If you go back 15 years or even 10 years ago, people weren’t talking about cybersecurity as much as they are now.
We are not just waiting until October [for Cybersecurity Awareness Month] to talk about cybersecurity. I think one of the greatest things is the fact that this is not a once-a-year thing, it’s an everyday thing that we have to take care of.
Every single user, regardless of their knowledge level and experience, has to become what I would call a cybersecurity warrior. They have to learn what they can do to help their institution as well as themselves to become more secure day in and day out, which in the end will help institutions and society to be better protected.
IM: If you could give one piece of advice to fellow cybersecurity leaders, what would it be?
JM: If there’s one piece of advice that I can give to other cybersecurity practitioners, focus on those things that are going to move the needle the most in that moment. Look at those in the next month, three months, find the next biggest needle mover, and then go after that. Continue to do that repeatedly.
After you’ve done that for a year, take a look back at what you’ve accomplished. See if you’re better off with that model than if you had just been head down in tactical work. If the answer is yes, continue to do it over and over again.
I have personally found that approach to be extremely useful in my career, and I know other security leaders who have told me they have found it to be very helpful as well, and oftentimes will look back and be amazed at what they were able to get done in six months or a year’s time.