Preserving a safe environment for IBM customer data is IBM highest priority. To protect customer data, IBM runs an industry-leading information security operation that chains severe processes, a world-class team, and multi layered information security and privacy infrastructure. This document focuses on IBM’s principled approach to handling and acting to data incidents for IBM Cloud.Incident response is a key aspect of IBM’s overall security and privacy program. IBM has a rough process for managing data incidents. At IBM, a data incident is defined as a break of IBM’s security leading to the accidental damage, modification, unauthorized reveal of customer data on systems managed by or controlled by IBM.
While IBM takes steps to handle predictable threats to data and systems, data incidents do not include unsuccessful attempts or activities that do not break the security of customer data, including failed login attempts, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
Prior to preparation of this Plan IBM’s management has admitted that the service break can lead to business and financial loss, therefore they understand the importance of measure to be taken and a team is also formed whose structure is provided in the plan.An important aspect of maintaining this plan is periodical updates, training to concerned and must remain in as part of IT and Business operations. The plan is not one time, it must be revised, and revision log should be maintained. 2. IR planning committeeIBM incident response planis managed by teams of expert incident responders across expert functions to ensure each response is well personalized to the challenges presented by each incident. Depending on the nature of the incident, the professional response team can include: Cloud incident management Product engineering Digital forensics Global investigations Site reliability engineering Cloud security and privacy Signals detection Security, privacy, and product counsel Customer support3. Incident Response Planning Team (IRPT)When IBM declare an incident, they elect an incident commander who coordinates incident response and resolution. The incident commander selects specialists from different teams and forms a response team. The incident commander gives the responsibility for managing different aspects of the incident to these professionals and manages the incident from the moment of declaration to closure. 3.1. Incident Response Team Roles and ResponsibilitiesWe details here the responsibilities of the main team members of Incident Response Plan. Incident commander (Information Security Office): Coordinate incident response and, when needed.The incident commander holds the top-level state about the incident. He structure the incident response task force, assigning responsibilities according to need and priority. He holds all positions that they have not delegated. Operations commander: The Ops lead works with the incident commander to respond to the incident by applying operational tools to the task at hand. The operations team should be the only group modifying the system during an incident. Communication commander: He is the public face of the incident response task force. Their duties most definitely include issuing periodic updates to the incident response team and stakeholders (usually via email), and may extend to tasks such as keeping the incident document accurate and up to date. Digital forensics team: Detects ongoing attacks and performs forensic investigations. Product engineers: Work to limit the impact on customers and provide solutions to fix the affected product(s). The legal team Works with members of the appropriate security and privacy team to implement IBM’s strategy on evidence collection, engage with law enforcement and government regulators, and advise on legal issues and requirements. Support personnel respond to customer inquiries and requests for additional information and assistance.4. IRPT organization and structure diagramFigure belowshows the organization of various roles and their responsibilities during incident response. The responsibilities of each member are described earlier.5. Computer Security Incident Response Team (CSIRT)6. IBM CSIRT is the core team responsible for managing IT security incidents and handling the impact in your organization. Firming the proper team and identifying roles and responsibilities is important. IT security professionals may fill several roles on this team. Below we details the structure of IBM’s CSIRT team.We Focus on the Core and Internal team memebers.Team Member Responsibility CSIRT Team Leader This is the person responsible for organizing and directing the CSIRT. Typical duties center on managing incident response processes, but also policies and procedure updates to deal with future incidents. This person should have a firm grasp of IT security and risk management.Incident Lead This is the person designated to coordinate responses to IT security incidents. It is possible that there could be more than one Incident Lead depending on incident types and levels of expertise. This person should be well versed in IT security and the particular type of IT equipment that incidents may occur on (i.e. servers, networks, firewalls, data archives, etc.). All information about incidents must be passed through this person before it leaves the team and is passed on to the organization or the publicIT Advisory Team Consists of lay-volunteers with knowledgeable and current experience and skills in Information Technology (IT) management, riskmanagement, the current IT Security landscape, and, specifically, PCI DSS incident response requirements.Financial Services Fulfills the role of budget monitoring and insurance liaison. This includes understanding the cyber insurance policy, insurance requirements for a suspected or confirmed cyber incident, understanding the claims aspects of the policy, managing the outflow of retentions, monitoring the cost aspects of the incident, filing claims, and, post-incident, evaluating policy coverage for the remaining period.CSIRT Support Members There are several support members that make up the CSIRT team that IBM included: IT contact, management representative, legal representative, public communication )IT Contact This is a member of IBM IT staff who is familiar with IBM IT infrastructure. Multi-members that focus on different disciplines may be asked to participate if a multi-disciplined member is not sufficientManagement Representative IBM teamhas a representative from the organization’s management team. This member is the interface to the management staff and should express concerns and ideas to and from the team. Management involvement is essential when dealing with incidents that can gravely affect the financial or operational status of the organization.Legal Representation IBM always have legal respective in the team. Legal ramifications and procedures against individuals that may have caused an IT security incident may need to be dealt with.Public Relations/Communications Maintaining good customer relationsip is always a good idea in a crisis and communicating the details of security incidents and how they are handled can save business relationships.7. Incident Response planEvery data incident is unique, and the goal of the data incident response process is to protect customers’ data, restore normal service as quickly as possible, and meet both regulatory and contractual compliance requirements. IBM’s incident response program has the following process:7.1. Incident Detection &Identification Early identification of incidents is key to an effective incident management. The focus of this step is to monitor security events to detect and report on potential data incidents.IBM incident detection team incorporates tools, signals, and alert devices that provide early indication of possible incidents.IBM’s sources of incident detection include:Incident Analysis Resources DescriptionAutomated system logs analysis Automated analysis of network traffic and system access helps identify suspicious, abusive, or unauthorized activity to IBM’s security staffProduct-specific tooling and processes Automated tooling specific to the team function is applied wherever possible to enhance Google’s ability to detect incidents at product levelTesting IBM’s security team actively tests for security threats using penetration tests, quality assurance (QA) measures, intrusion detection, and software security reviewsInternal code reviews Source code review discovers hidden vulnerabilities, design flawsApply anomaly detection IBM’sapplies many layers of machine learning systems to distinguish between safe and anomalous user activity across browsers, application logins, and other eventsData center and / or workplace services security alerts Security alerts in data centers test for incidents that might affect the company’s infrastructureIBM’s vulnerability award program Possible technical vulnerabilities in IBM’s-owned browser, mobile, and web applications that affect integrity of user data are sometimes stated by external security researchers7.2. Incident Handling Priority High Urgent report like phishing Incident still active Have to coordinate to other organizationMiddle Not urgent report Not active incident Will coordinate to other organizationLow Just a technical question to answer Just a FYI to forward Others7.3. Incident Handling Classification Incident Class Incident Type DescriptionInformation Gathering Scanning Attacks that send requests to a system to discover weak points. Sniffing Observing and recording network traffic (wiretapping). Social Engineering Gathering information from a human being in a non-technical wayIntrusion Attempts Exploiting Known Vulnerabilities An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as a CVE name (eg, buffer overflow, backdoors, cross side scripting, etc). Login Attempts Multiple login attempts (Guessing or cracking passwords, brute force). New Attack Signature An attempt using an unknown exploit.7.4. CoordinationWhen an incident is recounted, the on-call responder reviews and evaluates the nature of the incident report to determine if it represents a potential data incident and initiates IBM’s Incident Response Process. Once confirmed, the incident is handed over to an incident commander who assesses the nature of the incident and implements a coordinated approach to the response. At this stage, the response includes completing the triage assessment of the incident, adjusting its severity if required, and activating the required incident response team with appropriate operational/technical leads who review the facts and identify key areas that require investigation. 7.5. ResolutionAt this stage, the focus is on investigating the root cause, preventive the impact of the incident, undertaking immediate security risks, implementing necessary fixes as part of remediation, and recovering affected systems, data, and services.A key aspect of remediation is informing customers when incidents impact their data. Key facts are evaluated throughout the incident to determine whether the incident affected customers’ data. If notifying customers is appropriate, the incident commander initiates the notification process. The communications lead develops a communication plan with input from the product and legal leads, informs those affected, and supports customer requests after notification with the help of our support team.7.6. ClosureAfter the successful resolution of a data incident, the incident response team evaluates the lessons learned from the incident. When the incident raises critical issues, the incident commander may initiate a post-mortem analysis. During this process, the incident response team reviews the cause(s) of the incident and IBM’s response and identifies key areas for improvement. In some cases, this may require discussions with different product, engineering, and operations teams and product enhancement work.7.7. Continuous improvementThe actionable insights from incident analysis enable us to enhance our tools, trainings and processes, IBM’s overall security and privacy data protection program, security policies, and / or response efforts. The key learnings also facilitate prioritization of engineering efforts and building of better products.IBM’s security and privacy professionals enhance the security program by reviewing the company’s security plans for all networks, systems, and services and provide project-specific consulting services to product and engineering teams. They deploy machine learning, data analysis, and other novel techniques to monitor for suspicious activity on IBM’s networks, address information security threats, perform routine security evaluations and audits, and engage outside experts to conduct regular security assessments. Additionally, our full-time team, known as Project Zero, aims to prevent targeted attacks by reporting bugs to software vendors and filing them in an external database.7.8. IBM Example of Incident-handling procedures events7.8.1 IBM Cloud Data Storage FailureIBM Cloud Data Storage Failure Attack Type: Data Server Unauthorized access Trigger: Notification from user to helpdesk about Data Storage Failure Reaction: Isolate Data Server and shut down serverForce and Lead: Notification method: E-mail / SMSResponse Time: 10-15 minutesActions During Incident1- informing customers when incidents impact their data2- Key facts are evaluated throughout the incident to determine whether the incident affected customers’ dataIncident is ended when:1- When Data Server Recovered2- Identification and restoration of lost or pted data is completeActions After Incident1- perform Data Storage cloning2- Notify user on resolving the incident3- Recommend that users to perform regular data backupAfter Incident Actionsare ended when:1- All key players have reviewed their actions and the IR plan has been updatedActions before the incident1- The incident response team evaluates the lessons learned from the incident. 2- When the incident raises critical issues, the incident commander may initiate a post-mortem analysis.2- Set a rule to backup data 3 times annually or every time after an incident7.8.2 IBM user Credential Data AttackCredential Data AttackAttack Type: User login violationTrigger: Notification from user to helpdesk about credential login dataReaction: Reject login attempt with user’s accountForce and Lead: Leader: IBM Data Access Control Notification method: E-mail Response Time: 20-30 minutesActions During Incident1- Notify users about the account violation2- Look for traces of unauthorized access in the logsIncident is ended when:1- when user account and login is retrieved 2- Create New password and privilege for the user accountActions After Incident1- Update the anti-virus to quarantine 2- Update Firewall3- Recommend that users change their passwords regularlyAfter Incident Actionsare ended when:1- All key players have reviewed their actions and the IR plan has been updatedActions before the incident1- Train the users to report and avoid login from unsecured deviced2- Set a rule to change password 3 times annually or every time after an incident