Cyber Crisis Planning Room (CyberCPR) has been officially launched as a UK developed SaaS/on-premise platform to help incident managers, analysts, executives and support staff plan and coordinate cyber incident remediation activities and post incident analyses.
Developed over two years, CyberCPR was built by a team of incident handlers from Logically Secure Ltd, a UK security cleared organisation led by former RAF Cyber Security staff.
Steve Armstrong, MD of Logically Secure Ltd, says: “Our team has been working within Incident Response for over 9 years and during that time we have built a number of ad-hoc tools and processes to help manage the data capture and information flows that each project generates. It was about two years ago we decided to acquire a dedicated management application and what we found on the market just didn’t fit our needs or was incredibly expensive – so we decided to build our own.”
During the final stages of Beta, CyberCPR has been used as a core platform to manage over 115 incidents during the last five months, “Incident response can involve a large number of people, some inside the organisation and other external contractors and can often generate hundreds of terabytes of data from logs, packet captures and other source,” says Armstrong, “Typically, emailing all these files around and storing them in file servers is extremely inefficient, not ideal from a security perspective – it also fails to produce an auditable set of evidence that can be used effectively for longer term analyses or for legal action.”
The CyberCPR platform is comprised of several core components including a web front end which can be made available through the public firewall and core application logic that processes the information supplied by the Incident Responders.
CyberCPR maintains a secure database that holds the communications, updates, chats and other items of incident related information in an encrypted form. The platform has scalable storage for the operating System, the application files and the uploaded large incident related files. Deployment is flexible and can reside; inside the client’s network, outside the client’s network, but under their complete control via a cloud provider or outside the client’s network on a Logically Secure hosted platform.
The entire platform uses a separation of duties methodology that is vital for managing any incident by separating ‘application user’ access from ‘incident access’. This separation of permissions applies to all users including even the application administrators who are not able to access any incidents unless added by the Incident Manager.
“The software is now ready for commercial deployment and we are already piloting the system with several larger enterprises,” says Armstrong, “However, we believe that the platform is also of value to smaller clients as well as security specialists like ourselves that are called in to help deal with incidents.”
As such a CyberCPR “Community Edition” offering the full feature set but only available for three users has been made available for free. “We are encouraging other incident responders to use this version for free and provide feedback,” says Armstrong, “We are continually adding more automation and integration with other InfoSec tools to streamline many of the incident response processes and as this platform evolves it will help provide deeper analysis to help us to spot patterns across incidents and allow us to instigate more effective control to pre-empt problems.”
Rik Turner, Senior Analyst, IT – Infrastructure Solutions, Ovum said: “Incident response is becoming ever more important as enterprises struggle to detect and mitigate cyberattacks in the “unknown unknowns” category, but IR is currently still largely a people-intensive process. Thus any technology like CyberCPR that helps coordinate and, potentially, automate part of it is a positive step in responding to the burgeoning world of advanced threats.”
