I spent last Tuesday (17APR2012) taking orientation training at the State Emergency Operations Center (SEOC), a facility operated by the Washington State Military Department, Emergency Management Division.WA SEOC is a fully realized, extremely robust EOC with full authority to fulfill disaster and emergency coordination at the state level.The training was designed to orient attendees to serving or assisting when the EOC is activated during emergencies and disasters.
I was, as I have been during past EOC training or drills I've attended, drawn to the immediate parallels between EOC activity and mature security incident response programs.
Anyone who participates in or serves in a security incident response/management role has likely had the grave displeasure of being part of incident response gone bad. You know the event, it's seared into your memory. No incident command, no structure, everyone running around with their hair on fire, endless FUD and speculation, broken communication streams. and more damage being done than good. I for one, cannot and will not tolerate events unfolding in this manner, and am always thrilled when I see training and robust processes take over during major events.
EOCs are designed to do this right at a scale few of us can imagine or fathom.
It's one thing to lead your organization through a server compromise or a DDoS attack.
It's quite another to do so where the lives of citizens and millions of dollars of property are in the mix. Life and death decisions change your perspective.
All of which is a long way of getting to the point: there is much to be learned and utilized from the incident management structure utilized by EOCs as it pertains to information security incident response and management.
I'm a huge proponent of everything in its place, a place for everything during incidents. Everyone should know their role, what swim lane they should be in, and how to garner the assistance and support they may need.
In an EOC you'll note that seating is arranged in pods. These pods each pertain to an ESF or Emergency Support Function. Such functions include communications (ESF 2), logistics (ESF 7), public safety and security (ESF 13), external affairs (ESF 15), and defense support to civil authorities (ESF 20).
Washington State EOC
Not every ESF has a direct match to a role during an information security incident or major event - hopefully you won't need housing, public health, or search and rescue functions (we lost Bobby in the data center!) - but allow me to strengthen my claims to correlation.
The ESF 2 function includes protection, restoration, and sustainment of national cyber and information technology resources. Check, that sounds like an incident response analyst and/or manager.
ESF 7 includes logistics planning, management, and sustainment capability as well as resource support. Ever try to muddle through a major information security incident without your operations teams at the ready to perform systems and network functions?
ESF 13 includes security planning and technical resource assistance along with resource security. Roger that, I see a mitigations working group in the making here, yes?
ESF 15 provides protective action guidance as well as media and community relations. Indeed. Sounds like the all important information security advisory (patch now, avoid website x) or the pressing need for a good PR response when your high traffic website was defaced.
ESF 20 offers guidance to officials on the coordination of military resources in support of operations during response and recovery. Ack. Subject matter expertise, vulnerability assessment post-mitigation and remediation, after action reports (lessons learned), and defensive tactics oversite.
You get my point. Having a well defined, practiced (drill, drill, drill!) incident management system that springs into action like a well oiled machine is of extraordinary value during major information security incidents.
Following are some resources for you to consider.
Check out FEMA's National Incident Management System (NIMS). You can take NIMS training online via FEMA's Emergency Management Institute. I suggest starting with IS-100.b Introduction to Incident Command System, IS-200.b ICS for Single Resources and Initial Action Incidents, and IS-700.a National Incident Management System (NIMS) An Introduction. I've taken these, as well as four other ISP courses as part of requirements for the Military Emergency Management Specialist (MEMS) Basic level and continue to see content matches to my role in security incident management. Also familiarize yourself with the National Response Framework.
If you've noted similar relationships with emergency management practices and information security response and incident management, feel free to share with the readership via the comments form along with any questions you may have.
Russ McRee | @holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.