5 Ways to Improve Your Cyber Security Incident Response Plan
Cyber Security Incident Response
Cyber security is on the mind of every business. From retailers to municipalities and financial services companies, no organization is off limits to unethical cyber criminals and international thieves, intent on inflicting damage on other countries or competitors. News accounts of intrusions are plentiful and well-publicized. Just recently, international hackers have been suspected of shutting down over 900k routers in Germany, possibly impacting 20 million users.
Gartner reports that 10% of IT budgets are spent on detection of intrusions into their proprietary networks, with anticipates growth of 75% by the year 2020. This represents an astronomical growth rate that could potentially put a major strain on the bottom lines of many businesses. Coping with the increasingly sophisticated and aggressive cyber attacks being carried out in a cost-effective manner requires an incident response plan that is adapted to our modern IT security environment.
Ways to Improve Your Cyber Security Incident Response Plan
Generating an incident response (IR) plan is a must for each and every business, regardless of the size of your business or the industry you operate in. However, having a plan is only the beginning. In order to be prepared for the volume and complexity of attacks the modern business will face, there are a variety of improvements that need to be implemented:
Detection and Communication
When a cyber security event emerges, there will likely be several indications that something is awry, whether they be network alerts, unexpected messages popping up on computer screens, application failures, or other events.
Incident response should include your policy of communication with the appropriate parties, and the method of communications, along with a backup plan. For instance, if your primary method of communication involves emailing technicians and management, an incident that affects your email system could throw everything into chaos. Thus, you always need a secondary means of notifying the correct parties.
Set priorities for a response, based on the severity of the incident. No two cyber security incidents will require the exact same level of response or sense of urgency, so establish policies for how the priority should be determined with detailed procedures on how each level should be managed. Include notification to any vendors or third parties that may be engaged for resolution, and other departments that may be needed, such as human resources or public relations.
Each new incident uncovered should undergo a security level assessment (SLA) with predefined time-to-response requirements, procedures, and documentation provided. Create templates for standard incident documentation to ensure all relevant information is captured as the case is managed.
Incident Case Management
Roles for the incident response team must be clearly defined for every member of the team, including case management and the designated party for escalation. Common roles within an incident response team include:
Incident Response Analyst – These on-the-ground professionals spend time analyzing reports from various software platforms that scan the network, and serve as the sole arbiter distinguishing between serious threats and false positives. Furthermore, analysts need to know how to assess the priority level of a threat, properly escalate it to the correct level, and document the process accurately for later review.
Information Security Engineer – These incident response experts are required to have an even deeper knowledge of common threats, log management, breach detection systems, forensics, and escalation up the chain of command. They will commonly be responsible for designing tests to ensure the network can withstand a particular type of threat, and engineer defenses to cover newly discovered vulnerabilities.
Often also referred to as Senior or Lead Security Engineers, these positions combine the technical knowledge of an information security engineer with the skills of manager as well. They’re responsible for leading the incident response team, coordinating efforts with executives and other departments within the corporate structure, and serving as the subject matter expert for incident response when reporting to board members.
Establish in advance what each team member is responsible for, what documentation is needed (and where it is located), and identify the individual resources needed for incident management. Everyone on the incident response team needs to know the chain of command for escalation to improve SLAs and time-to-resolution.
Testing and Continuous Improvement
Test your incident response plan for several types of security events: ransomware attacks, Distributed Denial of Service (DDoS), virus intrusion, desktop vulnerabilities, etc. Note any deficiencies in the team’s ability to respond and resolve the incidents:
- Preparation for potential incidents
- Delays in detection or analysis of severity
- Failed communications during resolution of the event
- Time to contain and eliminate the threat
- Missing documentation or contact information
- Total time from detection to restoration of full service
Set meaningful targets for each phase of the incident response, and evaluate how each step can be improved upon further testing. This will be an iterative process and must be reviewed by management beyond the scope of the IT organization to ensure the results are aligned with acceptable risks from upper management.
Focus on Relevant Metrics
Each day you’re receiving alerts from your security tools, but it can be difficult to know which ones to address first. Not to mention, you need to know what metrics are most important so that you can measure and improve your incident response efficiency, as well as your detection parameters to ensure you’re focused on the most relevant threats.
When deciding which threats to address first, one should consider the broader impact that a particular breach might have, for instance:
- Could this lead to customer data being compromised?
- Will our intellectual property be at risk?
- Could this have a large systemic impact that will affect multiple departments and/or day-to-day operations (for instance, an attack on your email system)
- Will this threaten our revenue drivers (marketing, key executives)
Avoiding Alert Fatigue
Far too often, analysts find themselves overwhelmed with a torrent of incoming alerts and endless system logs that need to be carefully scanned to determine whether any real threat is targeting your systems. In this case, it’s important to start implanting incident response automation.
These tools continuously scan your system for potential threats and do a lot of the tedious, repetitive work for you. This provides a key advantage in that you’re able to better leverage your incident response analysts and security engineers by having them focused on the real threats to your IT security, rather than looking for every potential blip on the radar.
Creating an effective and adaptable incident response plan is crucial not only for surviving in our modern threat landscape, but also controlling your IT security costs and ensuring you protect your intellectual property and customer data from being distributed and inflicting major damage to your brand and customer trust.
By ensuring you have effective detection methods and a clear process for alerting the correct personnel, clearly defining the roles and responsibilities of each member on the incident response team, consistently testing and implementing new solutions to keep your defenses up-to-date, focusing on the metrics that actually matter, and implementing automation software that can help your analysts and engineers focus on the relevant threats you can craft an incident response plan that serves you well.
Contact CyberSponse today to learn more about the incident management tools we offer to help make your incident response team more effective and efficient.