My daughter has childhood diabetes, which can be a frightening disease for a family to manage. If her blood glucose spikes too high or dips too low, swift action needs to be taken. Without immediate corrective action, conditions can become serious, or even life threatening. But, we have developed a step by step process that helps us respond quickly and effectively.
It struck me recently that I employ some of the same processes to manage my daughter’s health that I use when wearing my infosec hat. For both information security and diabetes management, following specific systems and processes increases the speed and efficiency with which I’m able to address issues that arise.
Incident Response (IR)
The way to respond to an information-security incident 15 years ago was pretty rudimentary. Back then, a popular hack was website defacement. The response would include cleaning up the website files (or restoring from backup) and closing the hole that allowed the hack to take place.
Today, information-security incidents are frequently more malicious and more damaging than simple website vandalism. How and when you respond to an incident is even more critical. There are six common steps of incident response that serve as a helpful guide:
- Preparation – Prepare for an incident by opening lines of communication, having the proper documentation, and implementing an IR team.
- Identification – Next, answer the following question: Has something deviated from the norm causing an incident?
- Containment – Prevent further damage and assess the scope of the incident.
- Eradication – Remove and restore affected systems. Monitor fixes to assure malicious software and bad actors are removed.
- Recovery – Bring systems back into production.
- Lessons Learned – Identify who, what, where, why, and how the incident happened. What needs to be improved?
We can easily apply those same six steps to diabetes management. In the land of type 1 Diabetes, where the child is dependent on external insulin delivery, there are a few “if then else” scenarios for incident response.
Let’s say your child’s blood glucose (BG) is 35 when an acceptable range is between 80 and 120. What do you do? (This is a good place to point out that I am not a doctor.) Let’s walk this situation through the six steps of incident response:
- Preparation – We are prepared with our test meter, strips, and sugar source (apple juice).
- Identification – Next, we identify the issue – her BG is too low.
- Containment – We contain the issue by having her consume sugar.
- Eradication – This step isn’t applicable.
- Recovery – We monitor until BG reaches the acceptable range.
- Lessons Learned – In my opinion, this is the most important step. Though often overlooked, it is important to take time to understand why the sugar dropped in the first place.
So we can see how responding to an urgent situation in diabetes management parallels responding to an urgent situation in information security. I’ve found that my thinking and responses in one context often informs my thinking and responses in the other.
Now let’s go back to the manual monitoring of the finger prick test mentioned earlier. While today’s blood glucose meters are less invasive, until recently you were still in the dark about glucose levels between tests. The only way to continuously monitor BG levels would be (in theory) to continuously test with the BG meter. (Even a minimally invasive finger stick is no fun if you’re doing it continuously.)
But last year kids with type 1 diabetes (and their parents) were blessed by the FDA’s approval of pediatric use of Dexcom’s continuous glucose monitor, pictured below. This device supplements the regular BG meter test, and can alarm at pre-set and customizable levels to alert you whenever a BG level strays outside of normal limits.
Similarly, in information security, we used to check for compliance and security posture once a year, or even less often. We were in the dark about our true security posture between assessments. And, just as continually sticking your finger can be painful, continually going through the paperwork drill of a compliance assessment would have been painful.
But today’s continuous monitoring tools enable infosec professionals to assess the security posture of networks on an ongoing basis, working from a real-time dashboard. These systems can send alerts for predetermined conditions, such as when a system is out of compliance, an endpoint has malware, or a malicious actor is attempting to crack a password by brute force or hack a website by SQLi (SQL injection).
The ability to continuously monitor the security health of your network, from patches to compliance to attacks and everything in between, is key. This gives you tight control and the ability to proactively know about attacks vs. someone telling you (often well after the fact) that you have been breached.
Returning to diabetes management: for type 1 Diabetics, the news gets even better. Thanks to the crowdsourced Nightscout Project, I can now continuously monitor my child’s BG levels at any time, from anywhere in the world. Pretty cool. For the infosec professional, it’s comparable to apps that extend security health monitoring to a mobile platform that is always on and always trending and alerting, even letting you respond to security events.
As a parent, my child’s health is vitally important. I’m willing to invest my time and resources in processes and technologies that help me monitor her BG level and remediate any negative events. That mindset also carries over into my work as an infosec professional. Staying on top of and even ahead of security events is always better than reacting after the fact.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.