We had the chance to welcome Rino Lagacé, former Leader of the Blue Team at National Bank of Canada, during the 1st edition of the Forensik Conference. He explained to us how his incident response team was organized within the financial institution, what each person’s role was and how the company had matured in dealing with cyber incidents. An interview to discover now on INTRASEC, In Fidem’s cybersecurity channel.
An organization structured in 3 levels
The management and response teams are divided into 3 levels.
- Level 1: experts receive alerts and have a fixed period to resolve an incident if necessary. They must document the incident, specifying what happened, the different steps, the tools, the attack vectors and the target (s).
- Level 2: another team takes over the information and will focus on the infrastructure level.
- Level 3: if the incident is not resolved, a unit with senior staff is set up to make decisions. For this, detailed documentation of events is crucial to taking the right actions quickly and efficiently.
Automation in management incident response: one of the key issues for the National Bank
Rino Lagacé explains to us that the financial institution wants to mature in responding to cybersecurity incidents through automation.
To do this, it sets up playbooks that the level 1 teams must follow to quickly process security alerts.
If the level 1 teams are unable to respond, the level 2 teams will take over.
But the goal is to use the level 3 teams as little as possible.
Knowledge sharing in incident management and response
Financial institutions are prime targets for hackers. Therefore, they share with each other the alerts they receive in order to warn other organizations. They also do not hesitate to help each other to respond more quickly and effectively to threats.
For Rino Lagacé, the ideal would be to create a knowledge base to help each other informed and especially to empower small and medium-sized businesses to fight against cyber attacks from which they, themselves, are not immune.
We remind you that there is Cancyber, a solution for sharing information on threats.