At one point or another, most security resellers will get "the call" from an otherwise gruff and obstinate client desperately seeking help with a security incident. Providing incident response services
Remember how hard it is to pick up the phone in the middle of a crisis and ask for help. If a client calls you for help with a security incident, they know how serious it is. The client understands their job is at stake and is looking to you to resolve their issue.
The problem is that most security professionals (your clients) work at the church of "what have you done for me lately." Their senior executives don't really understand what the security folks do, with the exception that they realize they spend a lot of money on security. Basically, your clients are only as good as their last incident, even if they have years of exemplary performance. The reality is that your customer's job security is dependent on how they handle the incident.
The good news is that as a VAR, you are in a great position to help the client before, during and after a security incident. By taking a long-term view and accepting the inevitability of an incident, you can position the client to react faster and effectively to contain the damage of an incident, as well as communicate the issues to their senior management. Ultimately you can make sure the client lives to fight another day and buy additional products and services from you for years to come. Sounds like a win-win situation to me.
Here's a five-step program for you to both do yourself and work with your client on to ensure efficient and effective security incident response.
Step 1: Have your own house in order
First and foremost, you need to lead by example by having a documented and well-practiced security incident response plan in use within your business. As a model citizen, you can relay your experience directly to the customer. Having a generic template for an incident response plan is also a good thing to have to kick-start the customer's efforts. Finally, you can make a shekel or two by structuring an engagement to help the customer build out their incident response plan and process. Doing well by doing good (for the customer) – it doesn't get much better than that.
Step 2: Practice the plan quarterly with the customer
Practice makes perfect, so as part of your engagement, you should simulate incidents and practice the incident response plan with the customer. The last thing you want to find out during an incident is that the plan you helped develop stinks. Make sure the response is scripted out and practiced. It will pay dividends for you and the customer for years to come.
Step 3: Develop some simple security forensics capabilities
Security forensics is a highly specialized field. For significant incidents, it's best to bring in the experts. That being said, you can learn some simple things to add value and accelerate the security incident response process. If only to accelerate the containment of the damage, you need to do some simple analysis.
Take some security forensics courses and learn enough to be dangerous. Learn evidentiary requirements and chain of custody rules. Practice your trade, go to shows like Black Hat and DEFCON to learn from your peers and give customers the sense that you can help them immediately. Your clear head and confidence is the intangible that can help the customer get through the crisis.
Step 4: Know whom to call
You also need to get to know some security forensics experts who will take your call when a security incident goes down for real. You can't predict when incidents will happen and world-class forensics folks are in high demand. You don't want to cold call their office when your customer's hair is on fire.
It's also a good idea to get to know the local law enforcement staffers that specialize in cybercrime. These folks may be local or with the FBI or Secret Service. Take them out to lunch, get involved in InfraGard and other groups. These folks can also help in a pinch and you want them to be familiar with you.
Step 5: Work with the customer on the post-mortem
Lastly, don't miss out on the opportunity to help the customer understand what happened and put in place safeguards to make sure it doesn't happen again. Those that forget history are doomed to repeat it, so make sure you don't skip the post-mortem. There is a tremendous amount you can learn by candidly assessing a security incident and the incident response plan.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.
This was first published in September 2007