A Message from SyCom's CISO

Using IRP processes to deal with Coronavirus  –  Containment

The Coronavirus has grown into a worldwide phenomenon that none of us are prepared to deal with. In other words, this has become a “big thing.” As a cybersecurity practitioner, I started to look at this like I would approach a cybersecurity incident. I like to use the PICERL (Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned) Incident Response framework to break “big things” into “little things” that are much easier to digest. Specifically, I want to focus on the “C” word in the PICERL process – Containment.

In Preparation of cyber scenario, planning is often seen as too little or too much. By the time we are in the middle of a crisis, we are past the point of being able to address readiness, and we hope that our level of Preparation was adequate. During a cyber occurrence, we find that Identification helps us to ascertain all the rest of our strategies. For example, if we can Identify the malware strain that is to blame for a given incident, we can determine HOW to Contain, Eradicate, and Recover. Often, we find that Identification can morph as we learn more about the episode. This is certainly the case with the Coronavirus. Over the past month or so, we have had every strategy from the “head in the sand” to the “buy all the toilet paper” come to life in front of our eyes on computer and TV screens. This is all based on the evolution of the understanding of what our Identification of the problem actually means.

While Identification helps us to zero in on the proper Eradication and Recovery steps, we can almost always agree that a Containment strategy is fairly static, no matter the case. The Containment strategy in a cyber incident is meant to isolate it and keep the problem from growing. “Stop the spread” is the phrase that is all-important. This is also all-important with the Coronavirus. Experts have told us that the most prudent thing we can do is “stop the spread” by providing “social distance.” Social distance references the trend that scientific research has seen, where limiting personal interaction, showed positive results in “stopping the spread” of the disease.

In our working worlds, this means that one of the most prudent things we can do is to move to remote worker scenarios. This may present several challenges, including:

  1. People Challenges:
    1. Are staff members trained to utilize remote work scenarios?
    2. Are staff members trained to utilize remote work scenarios securely?
    3. Are staff members disciplined enough to be productive in remote work scenarios?

  2. Process Challenges:
    1. Do organizations really know how to be effective when applying remote work scenarios?
    2. Do organizations have the proper logistical support to conduct business remotely (i.e. – are supply chain processes in place to support this process adequately)?

  3. Technology Challenges:
    1. Are there enough trusted devices to connect to corporate networking resources?
    2. Are there secure mechanisms in place to provide access to these resources?
    3. Is the internet robust enough to accept these additional usage patterns?

None of these challenges is insurmountable but should be considered (among a myriad of other considerations). Realize that you are not alone in your attempt to change your working world to Contain this given situation. Technology vendors like Cisco and Microsoft (and many others) are making provisions to assist in many of these areas. Local support providers like SyCom Technologies can help as well. If you need help, please reach out to your SyCom account manager.

As medical experts continue to further understand the Eradication steps and we all determine our best Recovery strategies, it is prudent that we try to follow good Containment processes now and make sure to conduct our Lessons Learned when the coast has cleared!


Best wishes and be safe,
Allen Jenkins, CISO