fpdress - Fotolia
Industry’s first mobile Cyber Tactical Operation Center (C-TOC) has arrived in London on the first leg of a European tour, including the Republic of Ireland, the Netherlands, Switzerland, Germany and France.
IBM modelled the C-TOC on the mobile command centres used by the military and designed it to run a full corporate environment, including a 100TB datacentre with a solid-state disk array, to conduct immersive breach response training exercises and function as an on-site cyber watch floor for public events and cyber investigations.
The C-TOC, which took 18 months to design and build, can be deployed nearly anywhere, with self-sustaining power, satellite and cellular communications, providing a sterile and resilient network.
The C-TOC aboard an 18-wheel, heavy-duty truck was developed as part of IBM’s mission to improve cyber security response, training and preparedness for organisations around the world, and forms part of a £155m investment IBM made in 2016 in incident response.
As a training facility, the unit is capable of delivering high-pressure cyber attack simulations using the most up-to-date technology to give organisations first-hand experience of the challenges that will face them when they come under cyber attack as well as the opportunity to practice and improve their response capability as a team.
The C-TOC is an evolution of IBM Security’s training and preparedness offering in Cambridge, Massachusetts, and is intended to address surging demand for incident response training globally, according to Caleb Barlow, vice-president of IBM Security, XForce Threat Intelligence.
“The new ‘bring it to you’ model for cyber security training is critical to reach a wide variety of organisations and stakeholders, from technical teams to the C-suite, to teach them how to respond to a cyber security incident,” he said.
Practice and rehearsal
The C-TOC is designed to bring to life what it feels like to live through a cyber attack because, according to Barlow, experience shows that learning cyber incident response requires practice and rehearsal “to the point that it is muscle memory” in much the same way athletes become the best at what they do.
“This is essential because cyber defenders are up against a human adversary and they have to learn to make decisions faster because that is the only way they are going to win, and the only way to do that is to practice and rehearse ahead of an incident,” he said.
Most organisations typically invest in detecting attacks and defending networks, but experience has shown, said Barlow, that it is equally important for companies to learn how to be resilient after a breach has occurred so they can get the business up and running as quickly as possible.
“Because we can make our simulations so real, we are able to separate what works from what doesn’t,” he said, adding that the importance of speed in incident response is shown by a study done with the Ponemon Institute that shows incidents that take longer than 30 days to contain, typically cost nearly £790,000 more than those contained within 30 days.
Another Ponemon Institute study shows that having an incident response team in place is one of the largest cost-saving factors in the cost of a breach, yet less than 25% of professionals surveyed globally say their company has a coordinated incident response plan applied across the organisation.
“This is one of the biggest issues of our time, yet only a quarter of companies have a plan, let alone practice and rehearse it,” said Barlow.
Read more about incident response
- Making the most of incident detection and response.
- Ensure incident response in the face of inevitable messaging leaks.
- Crafting a cyber security incident response plan, step by step.
- High-performing UK companies with a high level of cyber security maturity are leading in cyber resiliency, but most have to work on operationalising incident response plans.
Nick Coleman, global head of cyber security intelligence at IBM, who is based in the UK, said that according to the government’s 2018 cyber breaches survey, the proportion of companies that have incident management processes in place is below that global average at just 13%.
“This is despite the fact 75% of UK firms polled said cyber security was an important issue and 43% said that they had experienced a cyber attack,” he said, adding that there appears to be a real need for the C-TOC experience to help companies understand exactly what they are up against.
Nick Coleman, IBM
“Within hours, organisations under attack have to find the pattern,” said Coleman. “They have to understand if it hits the threshold of needing to report to regulatory authorities, while at the same time responding to the issue and dealing with customers and the media.
“This is where it becomes a management issue of leadership and command as well as balancing the business with the technical. Managing the business with what is technically available, can be one of the biggest challenges.”
During the European tour, Coleman said real-world organisations like NHS Digital, Oxford University and some financial services information sharing and analysis centres – FS Isacs – will have the opportunity to experience how they can help their organisations and communities.
Running through an attack simulation, Benjamin Poernomo, C-TOC chief of operations, said one of the main aims is to teach people to move into an incident command structure, a concept built out of the fire service that ensures there is always someone in command so that decision making is never halted.
“The other purpose of bombarding participants with information requiring decisions under pressure is to flood people’s brains with the fight or flight hormone cortisol so they understand that the only way to make good decisions under pressure is if they have practices and rehearsed established run books or procedures,” he said.
A well-executed plan
In closing, Poernomo said one of the main reasons Danish shipping and transport giant AP Møller-Maersk was able to recover reasonably quickly from the 2017 WannaCry attack was that they had a good plan and executed it well.
“We are passionate about putting teams through their worst day, but then showing them how they can win,” he said.