INCIDENT RESPONSE

Given the Zero Trust cybersecurity environment in which we live, where preventing all threats is not possible, we must invest in detection and incident response controls. Effective Incident Response is difficult due to (1) limited staff, (2) the variety and complexity of state and federal laws, and (3) the range of internal and external constituencies affected by a security incident. In addition, mistakes and omissions will surely increase incident costs. For these reasons, enterprises must invest in an automated solution to better prepare for, assess, manage, and report on incidents.

Security incidents are inevitable. Preventing all external and internal threats is simply not possible. Therefore we recommend a Zero Trust approach to information security where budget is allocated to Detection and Incident Response as well as Prevention controls. While we have reached the point where there is no debate about investing in dedicated technical detection controls, many organizations’ Incident Response tools consist of Word documents and spreadsheets. Some large organizations have attempted to implement an IR solution using system management or software development ticketing systems with limited success.

Given the potential direct and indirect financial, legal, reputational costs of information security incidents, any enterprise that holds Personally Identifiable Information (PII) or Personal Health Information (PHI) and conducts business in more than a couple of states needs a dedicated, specifically designed Incident Response system.

Here are the key ways an Incident Response system helps an organization:

  • Minimizes the costs of incidents
  • Assures that state and federal privacy and data breach laws are adhered to
  • Reduces redundant and/or inconsistent operating practices
  • Reduces operational complexity

In addition to the myriad state and federal laws, every enterprise has a wide variety of external constituencies including customers, media, law enforcement, Federal and state officials, credit card companies, investors, and suppliers. In addition, internal groups such as sales, marketing, and manufacturing can be impacted by an incident. A quick read of NIST SP-800-61, Computer Security Incident Handling Guide, will give you a good idea of the complexities of IR. An ineffective and inefficient response to an incident will surely exacerbate the situation and increase direct and indirect costs. For even a medium –size company, attempting to prepare for, assess, manage, and report on incidents manually, i.e. using Word documents and spreadsheets is not feasible.

NIST SP-800-61 describes the key actions for establishing an incident response capability:

  • Creating an incident response policy and plan
  • Developing procedures for performing incident handling and reporting
  • Setting guidelines for communicating with outside parties regarding incidents
  • Selecting a team structure and staffing model
  • Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)
  • Determining what services the incident response team should provide

NIST also documents the accepted four-part Incident Response Life Cycle – Preparation, Assessment (Detection & Analysis), Management (Containment, Eradication, and Recovery), Report (Post-Incident Activities).

Here is how an Incident Response Management system can help in each of these four activities:

  • Prepare – Improve organizational readiness
    • Organize team members
    • Fine-tune response policies and procedures
    • Run simulations such as table top exercises
  • Assess – Identify and Evaluate Incidents
    • Engage appropriate team members
    • Evaluate incident precursors and indicators
    • Track incidents and maintain a logbook
    • Automatically prioritize activities based on criticality
    • Log evidence
    • Generate assessment summaries
  • Manage – Contain, Eradicate, and Recover
    • Generate real-time IR plan
    • Coordinate team response
    • Choose appropriate containment strategy
    • Isolate and remediate cause
    • Instruct evidence gathering and handling
  • Report – Document Results and Improve Performance
    • Generate reports for management, auditors, and authorities
    • Document results
    • Conduct post-mortem
    • Update policies and procedures
    • Track evidence
    • Evaluate historical performance

If you have a question or a comment, or would like more information, please let us know by completing the Contact Us box on the upper right side of this page.