Looking for the silver bullet

A basic rule in security is that everything could and probably will fail eventually. How to respond to failures should therefor be a standard reflection for security professionals.

Depending on the risk given the estimated probability and the impact of the failure, the responses to a failure event vary. An incident response plan (IRP) is a must-have for risks above a set threshold.

The above should not come as a surprise and be part of business as usual in security. An IRP is part of any resilience effort. There is increased pressure to take resilience more seriously, with NIS and especially NIS2 raising the stakes for security.

Here comes the twisted view: regulations will lead to better security. More specifically, regulations with sharp teeth, in the form of personal liability for instance, will force companies to do better. In that sense, regulation is proposed as a silver bullet. This point of view is challenged in this document.

Motivation to react

In the past few weeks, an organization came under fire after an incident. There were few details available, except for a drastic response to the incident: all services and operations were halted. With no data it is hard to evaluate if the response was blind panic or justified.

It is easy to start shouting about poor security, no preparation or plan for incidents, to question the risk analysis that missed this type of incident etc. It is a different story if you are in the hot seat. You get notified about an incident and it looks very bad. The data you get may be correct, the damage reports may be accurate, or not. You must decide on actions, here and now. You have your incident response plans in some state of maturity, yet, as they say, the plan is probably incorrect on first contact with a real adversary.

What could one conclude based on the drastic response to shutdown most of the organization? The organization takes a serious hit by this decision, in the interest of the organization and its clients. You do not take such decisions lightly as there will be consequences. Any blaming game is very premature. Wait for the dust to settle down.

It's a sign of bad security, NIS(1,2,3,…) to the rescue!

While we know that you should never waste a good incident, premature and uninformed reactions are not ok. Bugs show up in software with clearly defined goals and context. In security, you deal with unexpected behavior with malicious intend. Prediction of probabilities will never be perfect, implying uncertainty in any risk based approach. That is just the way it is.

Incidents are (ab)used to push security products, security solutions, security frameworks, and also regulations. All of these may reduce the risk of similar incidents happening. None of these are gamechangers, just building blocks.

It is sad to see that the organization was attacked as if there security was poor, and that NIS2, with personal liability would teach these security guys a lesson and prevent such incidents from happening, out of fear?

To paraphrase the post:

We should not react as if this is an inevitable natural phenomenon. Such incidents could have been prevented with proper preparation. And under NIS2 there would have been personal consequences.

We don't need a regulation to react to gross negligence, in due time and based on facts. Assuming that drastic countermeasures indicate such negligence and not providing more evidence is way out of line, especially if the organization is explicitly mentioned.

Worse, the statement that preparation and liability will prevent incidents or at least avoid drastic countermeasures is just wrong. It is wishful thinking, or a plug for services related to compliance.

You might want to check another blog: regulated or deregulated.

Conclusion

Incidents will happen. Good risk management, build-in resilience, good incident response plans all help to minimize the chances for an incident that results in drastic measures. However, drastic measures must also be planned, it may come to that.

What the security community should never do, is jumping to conclusions without facts, or claim some magical solution will stop all major incidents.

Risk management will guide our investments, and yes, unlikely but possibly major incidents occur, and then you review your risk analysis and adapt your countermeasures, only if necessary.