Photo Credit: brianjmatis via Compfight cc
[Original article posted on Telos website 31/03/15. Click here to view it]
It struck me recently that I employ some of the same skills and processes that I use when wearing my infosec hat, as I do with managing my daughter’s childhood diabetes. If her blood glucose (BG) spikes too high or dips too low, swift action needs to be taken. Without immediate corrective action, conditions can become serious, or even life threatening. For both information security and diabetes management, following specific systems and processes increase the speed and efficiency in which you’re able to address issues that arise.
Let’s break this comparison into two categories: incident response and continuous monitoring.
Incident Response (IR)
15 years ago the way you responded to an information security incident was pretty rudimentary. A popular hack then was website defacement. The response included cleaning up the website files or restoring from backup and closing the hole that allowed the “hack” to take place.
Today, information security incidents are frequently more malicious and more damaging than website vandalism. Which means that how and when you respond to an incident is even more critical. There are six common steps of incident response that serve as a helpful guide:
- Preparation – How to prepare for an incident; some examples would be communication, documentation, and an IR team.
- Identification – Has something deviated from the norm causing an incident?
- Containment – Prevent further damage and access the scope of the incident.
- Eradication – Remove and restore affected systems. Monitor fixes to assure malicious software/actors are removed.
- Recovery – Bring systems back into production, back to business.
- Lessons Learned – Identify the Who, What, Where, Why and How the incident happened. What needs to be improved?
We can easily apply those same steps to diabetes management. In the land of Type 1 Diabetes, where the child is dependent on external insulin delivery, there are a few “if then else” scenarios for incident response. Going back less than a decade, the only way to know your blood glucose level was to prick your finger and put a droplet of blood on a test strip.
Let’s say your child’s BG is 35 when an acceptable range is between 80 and 120. What do you do? (This is a good place to remind you that I am quite obviously not a doctor.) Let’s walk this situation through the six steps of incident response:
- Preparation – We are prepared with our test meter, strips, and sugar source (apple juice).
- Identification – Next, we identify the issue – her BG is too low.
- Containment – We contain the issue by consuming sugar.
- Eradication – This step isn’t applicable.
- Recovery – We monitor until BG reaches the acceptable range.
- Lessons Learned – In my opinion, this is the most important step. Though often overlooked, it is important to take time to understand why the sugar dropped in the first place.
So we can see how responding to an urgent situation in diabetes management parallels responding to an urgent situation in information security. I’ve found that my thinking and responses in one context often informs my thinking and responses in the other.
Continuous Monitoring
Now let’s go back to the manual monitoring of the finger prick test mentioned earlier. While today’s blood glucose meters are less invasive, until recently you were still in the dark about glucose levels between tests. The only way to continuously monitor BG levels would be (in theory) to continuously test with the BG meter. (Even a minimally invasive finger stick is no fun if you’re doing it continuously.)
But nine years ago the world was blessed with a new technology from Dexcom. It is a continuous glucose monitor pictured below. This device supplements the regular BG meter test, and can alarm at pre-set and customizable levels to alert you whenever a BG level strays outside of normal limits.
Similarly, in information security, we used to check for compliance and security posture once a year, or even less often. We were in the dark about our true security posture between assessments. And, just as continually sticking your finger can be painful, continually going through the paperwork drill of a compliance assessment would have been painful.
But today’s continuous monitoring tools enable infosec professionals to assess the security posture of networks on an ongoing basis, working from a real-time dashboard. These systems can send alerts for predetermined conditions, such as when a system is out of compliance, an endpoint has malware, or a malicious actor is attempting to brute force passwords or SQLi (sql injection) a website.
The ability to continuously monitor the security health of your network, from patches to compliance to attacks and everything in between, is key. This gives you tight control and the ability to proactively know about attacks vs. someone telling you (often well after the fact) that you have been breached.
Returning to diabetes management: for Type 1 Diabetics, the news gets even better. Thanks to the crowdsourced Nightscout Project, I can now continuously monitor my child’s BG levels at any time, from anywhere in the world. Pretty cool. For the infosec professional, it’s comparable to apps that extend security health monitoring to a mobile platform that is always on and always trending and alerting, even letting you respond to security events.
As a parent, my child’s health is vitally important. I’m willing to invest my time and resources in processes and technologies that help me monitor her BG level and remediate any negative events. That mindset also carries over into my work as infosec professional. Staying on top of and even ahead of security events is always better than reacting long after the fact.