Overall, I believe that Equifax did execute an effective incident response effort. Equifax has procedures in place that once informed of a potential vulnerability, they executed vulnerability scanning to determine if any machines internal to their network needed to be patched. Although their scanning was flawed and did not find the vulnerable systems, they still performed scans that should have found them. This aligns with the preparation portion. Then with the detection and analysis, their IDS was misconfigured, but they eventually got themselves together to be able to detect the breach. Once found they performed containment and eradication efficiently. They also had some good ideas of developing a website for the breach and a dedicated call center for post activity, but were unsuccessful in their effectiveness. Including an outside company, Mandiant, to perform an analysis was smart to make sure there was agreement about what occurred.
Knowing that money is a large factor, and not much is given to security, I think the biggest flaw that occurred with Equifax was that their security certificate that was monitoring the ACIS network had been expired for the 19 months leading up to finding the suspicious activity. Having working security features in place is one of the most important things to implement. If things are not implemented correctly, then analysts are not getting all the data that can help them determine suspicious activity and activity can be missed.
I know the topic of CISO placement is relatively controversial. I have been in a company where a CISO is under the CIO and another company where the CISO is also the CIO and is under legal and I see the pros and cons for each. However, I think overall, it depends on the company. Where the company is information driven, I think it makes sense to have the security teams more closely aligned with the IT and information teams. This allows for more collaboration of understanding the networks and patching the systems. In my current role, I fall under a product security team for aviation. We are not a typical network detection team, so it does make sense for us to fall under the legal team as we need to have more collaboration with making sure the products align with any regulations. I think that no matter where the CISO is, whether he is directly under the CEO or not, the CISO should have the ability to call and inform the CEO if there is any major event, that is the biggest take away in organizational structure. There should be a culture that exists where it is okay for the CISO to report up the chain, but also directly to the CEO.