Demisto Open Standard for Sharing Response Plans Aims to Mitigate Effects of Cyberattacks
Demisto recently announced the creation of a cyber threat playbook standard intended to make it easier for organizations and businesses to share incident response procedures. The Collaborative Open Playbook Standard (COPS) is designed to fill a void where there has previously been little or no sharing of expertise on responding to cyberattacks.
There seems to be a growing sense of urgency in general about the importance of having a computer security incident response plan (CSIRP) in preparation for a cyberattack. The U.S. government recently released an emergency response manual for cyberattacks. It includes a six-level scale from zero to five, with level five indicating an attack of the highest severity. The guide also spells out which agencies will handle the different areas behind each attack.
Data from a Ponemon study last September suggests that Demisto’s concerns are well-founded. A total of 600 IT and security execs were asked about how resilient their organizations would be in the event of a cyberattack. Only 32 percent of those surveyed felt that they could recover from an attack and only 17 percent had created a CSIRP. A significant majority felt that they lacked the capability to prevent attacks.
The creation of COPS makes it easier for businesses and organizations to create and share their plans in a totally open YAML format that basically amounts to an outline in a text file. Such a format can easily be converted to other document and data formats.
One example of a playbook outlines the response procedure for a phishing incident. It can be traversed much like a flowchart with containing several yes/no options. There are procedures for dealing with emails that appear to be attacks, but aren’t (false positives) and additional steps for incidents that are not ruled out as attacks in this or any other matter.
The old adage that knowledge is half the battle certainly applies to CSIRPs. You can’t begin to respond appropriately to cyberattacks without awareness of their causes and effects, and one of the encouraging findings from the aforementioned Ponemon study is that 91 percent of respondents said cyber resilience is essential to protecting intellectual property and regulatory compliance.
While that is a good start, it is time to win the remaining half of the cyberattack battle. There is a lot more at stake than businesses losing money, being sued, or being fined, although those are certainly situations businesses should make every effort to avoid. The bigger problem is national security. The next big attack may not be from a terrorist in a heavily populated area, but rather a complete economic and societal breakdown initiated in cyberspace.
Fortunately the U.S. government and companies like Demisto are attempting to do something concrete to limit the effects of widespread cyberattacks. Hopefully the private and public sectors can reach an agreement on procedures and standardize them before it’s too late.
Edited by Peter Bernstein