Cyber incident response platform – what's the key to its simplicity?

A safe space for post-breach communications

Cyber incident response platform – what's the key to its simplicity?

Technology

By Mark Hollmer

With cyber protection, technology isn’t the most important part of the equation. It’s the human monitoring and communication when incidents happen that can make all the difference, according to Rafael (Raf) Sanchez (pictured), Beazley’s global head of cyber services.

Beazley’s new online incident response platform for US cyber policyholders takes those ideas into account, he said.

“Cyber incident response is such an emotive and risky moment for an organization,” Sanchez said. “We are cautious about what technologies we suggest and at that moment [of a response] we are relying on humans to provide that information.”

The new platform, announced at the end of May, is designed to provide a central location to monitor and manage incidents. Importantly, it also centralizes communications between the policyholder, Beazley and specialist service providers. Beazley is a global specialist insurer.

The platform is both hosted and created by a third-party provider named CYGNVS (pronounced “Cygnus”), a San Francisco-based start-up in stealth mode whose platform runs on Amazon’s cloud-based platform. It’s industry agnostic, which means the platform can be used in various industries at multiple levels.

“It’s essentially a secure communications platform that could be used for any number of utilities by organizations, but we, specifically at Beazley, have realized its utility for incident response,” Sanchez said. The reason, he added, is communication.

“One of the key issues we come across when we are dealing with cyber incidents is communication, whether it’s a lack of communication, incomplete communication, too much communication, inappropriate methods of communication [or] lack of oversight of communication,” Sanchez said. “What happens during a crisis is that carefully crafted incident response plan that was written up by a lawyer or an information security professional sitting at a desk – thinking rationally is not followed.”

Sanchez pointed out that when a cyber incident hits, people start communicating multiple ways, such as iMessage or WhatsApp, and those methods of communication are often not in the incident response plan, not listed as critical applications and they may not even be installed on the devices that are needed by the people conducting those communications.

The potential problems cascade beyond that, he said.

“Usually after the incident, when it comes to regulators, auditors, debriefs, senior management reports, board reports, the task of actually accumulating and correlating what happened when producing an after-action [cyber incident] report is almost impossible,” Sanchez explained.

Beazley’s intent is that the incident response platform avoids all those problems.

“This essentially is a [safe] portal for all important communications about an incident,” Sanchez said.

Safe spaces and the cloud

Having a cloud-based platform for cyber incident communications offers a safe space when all other communication options are in question.

“In many incidents there is doubt over the security of the insured’s own security infrastructure,” Sanchez said.

For example, in a ransomware attack, the threat actor may have compromised multiple systems. That means at the beginning of an incident when critical information needs to be shared, the threat actor could already have access to a company’s email platform or other communications systems.

“We have seen threat actors essentially looking over the shoulder of incident response teams because they have access to platforms that they use to authenticate their internal communications,” Sanchez explained. “In this new environment, which is [established] specifically for incident [response], we can guarantee the security and confidentiality of communications.”

Beyond, that, he said, an incident response platform addresses accountability from all parties.

“There is one place to find the trail of communications, and more importantly, the decisions that were taken during the incidents,” Sanchez said. “There’s multiple uses, but confidentiality and security of data is an important first one that we look at, really, in the first few critical days.”

Typical users of the platform might be the insurance carrier, the broker, the insured, experts that advise them, security investigators and digital forensics specialists. Crisis public relations could also be involved, with the idea of keeping every stakeholder communicating in one place.

“It’s a platform where the management of the incident can occur,” Sanchez said.

Low tech for now

For now, Sanchez said, Beazley is starting the platform focused on central communications, allowing people to communicate and exchange documents and other information.

Other technologies might emerge in the future, and Sanchez explained that CYGNVS continues to get feedback from the specialist insurer.

In other words, there is no automation or machine learning just yet.

“We do our best to try and show our insureds that our interests are 100% aligned with this,” Sanchez explained. “We put our money on the line, and we are only going to recommend technologies that prevent [clients] from having an incident because that is 100% aligned to our ability to make a profit.”

He added: “We are not trying to sell you seats for a software platform.”

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!