SOAR Platform / Blog / 5 Ways to Improve Your Cybersecurity Incident Response Plan

5 Ways to Improve Your Cybersecurity Incident Response Plan

Cybersecurity incident response

Cybersecurity is on the mind of every business. No organization is off-limits to cybercriminals and international thieves that inflict damage on other countries or competitors. News accounts of intrusions are plentiful and well-publicized. Just recently, international hackers have been suspected of shutting down over 900k routers in Germany, possibly impacting 20 million users.

Gartner reports that 10% of IT budgets are spent on detection of intrusions into their proprietary networks, with an anticipated growth of 75% by the year 2020. This represents an astronomical growth rate that could potentially put a major strain on the bottom lines of many businesses. Coping with these attacks cost-effectively requires an incident response plan adapted to our modern IT security environment.

Ways to improve your cybersecurity incident response plan

Generating an incident response plan is a must for every business, regardless of size or industry. However, having a plan is only the beginning. There are various improvements that need to be implemented:

Detection and communication

When a cybersecurity event emerges, there are several indicators, from network alerts to application failures.

Incident response should include your policy of communication with the appropriate parties, and the method of communications, along with a backup plan. For instance, if your primary method of communication involves email, an incident affecting your email system throws everything into chaos. Thus, you always need a secondary means of notifying the correct parties.

Set priorities for a response, based on the severity of the incident. No two incidents will require the exact same level of response or sense of urgency, so establish policies for how the priority should be determined with detailed procedures. Also, include notification to any vendors or third parties that may be engaged for resolution, such as HR or PR.

Each new incident uncovered should undergo a security level assessment (SLA) with predefined time-to-response requirements, procedures, and documentation provided. Create templates for standard incident documentation to ensure all relevant information is captured as the case is managed.

Incident case management

Members of the incident response team must have clearly-defined roles, including case management and the designated party for escalation. Common roles within an incident response team include:

Incident Response Analyst
These on-the-ground professionals spend time analyzing reports from various software platforms that scan the network and serve as the sole arbiter distinguishing between serious threats and false positives. Furthermore, analysts must know how to assess a threat’s priority level, escalate it to the correct level, and document the process accurately.

Information Security Engineer
These response experts should have an even deeper knowledge of several topics: common threats, log management, breach detection systems, forensics, and escalation up the chain of command. Commonly, they’re responsible for designing tests to ensure the network can withstand certain threats and engineering defenses for vulnerabilities.

Management/Administrative Coordinators
Often also referred to as Senior or Lead Security Engineers, these positions combine the technical knowledge of an information security engineer with the skills of a manager as well. They’re responsible for leading the incident response team, coordinating efforts with executives and other departments within the corporate structure, and serving as the subject matter expert for an incident response when reporting to board members.

In advance, establish each team member’s responsibilities, documentation (and where it is located), and identify the individual resources needed for incident management. Everyone on the incident response team needs to know the chain of command for escalation to improve SLAs and time-to-resolution.

Testing and continuous improvement

Test your incident response plan for different security events: ransomware attacks, Distributed Denial of Service, virus intrusion, desktop vulnerabilities, etc. Additionally, note deficiencies in the team’s ability to respond and resolve the incidents:

  • Preparation for potential incidents
  • Delays in detection or analysis of severity
  • Failed communications during resolution of the event
  • Time to contain and eliminate the threat
  • Missing documentation or contact information
  • Total time from detection to restoration of full service

Set meaningful targets for each phase of the incident response, and evaluate how each step can be improved. This will be an iterative process; it must be reviewed by management beyond the IT organization to ensure results are aligned with acceptable risks from upper management.

Focus on relevant metrics

Each day you’re receiving alerts from your security tools, but it can be difficult to know which ones to address first. Not to mention, you need to know what metrics are most important so that you can measure and improve your incident response efficiency, as well as your detection parameters. This allows you to focus on the most relevant threats.

So, when deciding which threats to address first, consider the broader impact that a particular breach might have. For instance:

  • Could this lead to compromised customer data?
  • Will our intellectual property be at risk?
  • Could this have a large systemic impact that will affect multiple departments or daily operations?
  • Will this threaten our revenue drivers (marketing, key executives)?
Avoiding alert fatigue

Far too often, analysts find themselves overwhelmed with a torrent of incoming alerts and endless system logs that need to be carefully scanned for real threats to your system. In this case, it’s important to start implanting incident response automation.

These tools continuously scan your system for potential threats and do a lot of the tedious, repetitive work for you. As a result, you’re able to better leverage your incident response analysts and security engineers by having them focused on real threats, rather than every potential blip on the radar.

Final thoughts

In conclusion, it’s crucial to create an effective and adaptable incident response plan. This will help not only with surviving in our modern landscape but also for controlling IT security costs. Additionally, creating a plan ensures you protect your intellectual property and customer data from being distributed, which would inflict major damage to your brand.

By ensuring you have effective detection methods and a clear process for alerting the correct personnel, clearly defining the roles of each member on the incident response team, consistently testing and implementing new solutions to keep your defenses up-to-date, focusing on the metrics that actually matter, and implementing automation software, you can craft an incident response plan that serves you well.

Contact CyberSponse today to learn more about the incident management tools we offer to help make your incident response team more effective and efficient.