How to build an effective security incident response mechanism in your organisation.
An organisation’s security posture hinges on the well-known security maxim ‘prevention-detection-response’. While the first two components of the security architecture are favoured by many, ‘response’ has a unique characteristic – it is impossible to avoid. It is not uncommon for organisations to have weak prevention and nearly non-existent detection capabilities but response will always be necessary. Being prepared for security incidents thorough an incident response (IR) plan is one of the most cost-effective security measures an organisation can take. Timely and effective IR is directly responsible for limiting security incident related damages.
Developing an incident response plan, and ensuring that it aligns to the organisation’s goals and needs, as well as existing policy and compliance regulations, can be a daunting. Moreover, the process will require all sides of the business to communicate, which in itself can be quite the task.
“The effectiveness and cost of incident response depends on the capability of the organisation to detect an incident in the first place. With a median breach detection time still being measured in months, it is indicative that most organisations have not reached a sufficient maturity level to perform effective incident response themselves,” says Roger Sels, DarkMatter’s VP of IT Security.
He adds that in those cases where external events trigger the incident response process, a financial or reputational loss might already have occurred and an external party may need to be brought in with the foremost mission of finding out the origin and nature of the incident. This hampers the organisation’s ability to recover from the incident as it may still be ongoing at the start of the incident response process.
The basic idea behind IT is simple – once an incident has been recovered steps must be taken to address it, ensure the organisation recovers from it and that it doesn’t happen again. This might sound like an easy thing to do, but security experts note that this simply isn’t true. Incident response is something that is developed and that changes with the organisation over time. Incidents can be technical or physical, and while you can’t prepare for everything, it is wise to at least prepare for the mostly likely threats your organisation will face. One of the often-repeated problems with incident response is that organisations rarely understand who are attacking them, what the attacker is looking for, and how they are trying to get it.
What are the important steps companies should incorporate into their IR plan?
“The first step is making sure the appropriate information is readily available to search when a data breach does occur versus relying on forensics. Such information might include firewall logs, endpoint logs or identity logs. That information should be easily accessible and centrally stored, “says Mike Viscuso, Co-founder and CTO, Carbon Black. “The second important step is to be prepared from a communications perspective. If an organisation is concerned that its infrastructure has been compromised, an entire new communication system must be set up to handle the incident. Many companies who have had a breach in the past say they were significantly delayed in responding since an entire new communication infrastructure needed to be implemented on short notice. They couldn’t simply rely on their email system. Having a communications plan ahead of time can help reduce that stress significantly.”
Sels says enterprise security leaders should definre metrics and reporting frequencies, both for incidents as well as incident response itself. Both quantitative as well as qualitative KPIs should be measured (including but not limited to time to detect, time to triage, time to response, number of false positives or root cause).
A quick guide from Cybereason says companies should also use the preparation phase to consider the various breach scenarios that could play out. These scenarios should be reviewed in activities like team training, tabletop exercises and blue team-red team exercises. Businesses should even simulate a breach so employees know their roles when a real breach occurs.
This is the phase companies identify their weak points and risk factors, figure out what activities need to be closely monitored and decide how to spend their security budgets. An IR plan should be revised yearly or more frequently if the company grows rapidly. Additionally, the IR plan should incorporate any business regulations.
Lately, IR automation has become a very hot topic in the security world. There are multiple factors driving demand for IT automation and orchestrations, including the manual nature of IR work, cyber skills shortage and the difficulty of coordinating activity between teams.
Should you automate your IR process?
Sels from DarkMatter says automating parts of the process might be feasible and recommended but the overall process as such should not be automated. The nature of an incident may prevent automations.
Viscuso from Carbon Black offers a different perspective: “Over the past few years, many businesses have set up security operation centres and these teams tend to do the same things over and over again each day in responding to alerts. SOCs should look to automate those tasks done repeatedly throughout the week. Automated technology can look at the problem from a different perspective and provide additional content to help speed up IR.”