Click here to listen to this article via the BreachRx Blogcast
Incident management is an area of information technology service management (ITSM), and the main goal of the software in the area, such as Jira, ServiceNow, and Remedy, is to quickly and effectively resolve incidents within agreed-to timeframes in order to minimize the impact on the organization. These information technology and site reliability engineering (SRE) incident management systems are tools that were built initially to manage and respond to technology and engineering incidents. These can range from technical issues with hardware and software, problems in cloud environments, service interruptions, and company equipment and office networks.
In some cases, however, teams are using them to deal with security breaches and data loss. That’s like using an everyday dinner knife to try to cut a steak–here’s why that’s a bad idea.
Need help improving your security posture?
Use BreachRx to build tailored incident response playbooks and exercise your team today!
Background
First, though, what is ITSM? Information technology service management is a systematic approach to managing the delivery of IT services in an organization. It involves the design, planning, delivery, and support of IT services that meet the needs of the business. The goal of ITSM is to ensure that IT services are aligned with the business needs of the organization, and to improve the efficiency and effectiveness of IT service delivery. ITSM frameworks, such as the Information Technology Infrastructure Library (ITIL), provide a set of best practices and guidelines for implementing and managing IT services in a consistent and standardized way.
As a key process area within ITSM, incident management focuses on the timely resolution of IT service disruptions. When an IT service disruption occurs, it is important to quickly identify the problem, assess the impact on the business, and take the necessary steps to restore the service as soon as possible. The incident management process is responsible for coordinating the resolution of incidents and minimizing their impact on the business. This involves identifying the root cause of the incident, implementing a fix or workaround, and monitoring the resolution to ensure that the service has been restored to full functionality. It is also important to document the incident and the actions taken to resolve it, in order to continuously improve the incident management process and prevent future incidents.
Some examples of the most well-known ITSM incident management systems include:
- Atlassian Jira: Jira is a very popular issue tracking and project management tool that is frequently used for both IT incident management and engineering operations.
- ServiceNow: This is a cloud-based platform with a range of offerings, including incident management.
- BMC Remedy: This is a well-known enterprise IT service management platform that includes incident management capabilities.
There are a variety of others who appear to have a security spin but in reality still maintain an IT or engineering and SRE focus.
Organizations use these systems for incident management and response for a variety of reasons. First and foremost, they’re already using it for other types of incidents, so it seems natural to them. Second, the technical teams involved in incident response are typically already users of these systems, meaning it’s easy for them to continue to communicate and operate with them. And clearly, given the description of incident management, there’s a mindset that cybersecurity incidents fit into the mandate of these systems. All that said, though, organizations using IT Incident Management systems for cybersecurity are making a terrible mistake.
Security Incident Response & the Risks of ITSM
How did we get here? Teams just default to these systems for cybersecurity and privacy incident response. These ITSM tools are general purpose, focus on issue tracking and project management, and are not specifically designed for security incident response. While it may be possible to use them for responding to cybersecurity incidents, these systems lack critical features necessary for a successful response and in many ways can actually harm your business if you use them.
First, these systems lack any of the necessary procedures and guidelines for handling cybersecurity incidents. Cybersecurity incident response requires a specific set of steps and processes to be followed in order to effectively contain and mitigate the incident, and these steps vary depending on the type of incident. Regulatory, contractual, and cyber insurance requirements are also a key and demanding part of security and privacy incidents. Further, teams need to ensure that incidents are properly documented and reported. General purpose tools like Jira and the others do not have any of these procedures built in, making it impossible for teams to stay current with and follow best practices for incident response.
For example, imagine an incident in which Customer A’s critical proprietary and confidential data, including details about key intellectual property, was accidentally emailed to Customer B, a competitor of theirs. This is a privacy incident, given it’s an improper disclosure of that confidential information. In an ITSM incident management tool, you can open a ticket, but what do you actually do? With these tools, you’re left using your own expertise or that of your teammates from there. You can hope there’s another ticket from the past that can be used as an example of what to do, and you hope that the procedures taken in it were correct and are current, but that’s unlikely given how rapidly privacy requirements are changing around the world and that these systems nor the teams using them are focused on tracking their evolution.
Second, you need to work with other parts of your business–continuing this example, you need to work with your legal or privacy team. Unfortunately, these IT incident management systems like ServiceNow and the others are aimed at the highly technical user. As such, they’re easily overwhelming for other people in the business that don’t have that background. They come across as complex and requiring a steep learning curve, which usually means the non-technical teams that are critical to incident response fall back to phone calls, conference bridges, or worse, email and chat systems, that leave a trail of conversations that can be a detriment to the business.
So in our example situation, you end up trying to add the privacy and legal team to the ticket, but they’ve likely never logged in and/or don’t even have an account, and so they end up calling you. The things they ask for are likely not captured in the ticket effectively because one or more conversations take place and you’re left trying to figure out exactly what to put into the ticket.
At this point, you’re also documenting things that might come back to haunt you. Cybersecurity incidents often involve sensitive and confidential information, and it’s important to ensure that any communication related to the incident is protected by legal privilege. This can help to prevent the disclosure of sensitive information during legal proceedings, and can provide a measure of legal protection for those involved in the incident response. Remedy and these other tools do not provide this level of protection, and given court cases over the last couple of years, the use of a general purpose business tool will likely prevent your organization from establishing legal privilege and protecting those conversations.
Imagine in our example scenario the ticket flow between IT & Security notes that the data that was sent erroneously was done by a customer support representative that has a history of doing this. Further, the Security team notes they were supposed to train this CSR on the last two occurrences but failed to do so. Because the ticketing system is being used for other purposes, that fact will very likely end up in the factual record if the company was taken to court over the disclosure, and the fact that Security fell down on the job will leave the company squarely in the losing position.
Finally, these tools may not be implemented with the necessary security controls and safeguards in place to protect against cyber threats specifically targeting them. Cybersecurity incident response often involves the compromise of operational networks and systems in the business, of which the ticketing systems are a part. Further, many of these tools have a wide variety of users across multiple teams, which in a cybersecurity incident can be a detriment to protecting the response (along with damaging legal privilege further). If an attacker can see what you’re planning and how you’re responding, they can easily adjust their attack to counteract those activities.
Outlook
While ITSM incident management tools like these and many others can be useful for managing IT and engineering services, they are not suitable for handling cybersecurity incident response. The good news is awareness is growing about this challenge, to the point that auditors of security compliance frameworks are beginning to look for more than ITSM incident management tools can offer. Given all that, organizations should consider using dedicated security tools and platforms for this purpose that provide them the key steps to take when incidents occur, in order to effectively respond to cyber threats while ensuring the necessary legal protections are in place.
Still using ticketing systems for cybersecurity incident response?
Join the modern era and use BreachRx to supercharge your team today!
