SOAR Platform / Blog / Planning for the Breach: Part 1

Planning for the Breach: Part 1

Defense is not Enough: Plan for the Breach

A strong defense is not only important, but it is also critical. Without a focused defensive posture (including adaptation to emerging threats and preparation to fight the “next war”), you will be overrun.

But even the best defensive tools and strategies do not make for an inviolable structure. Cities are besieged. Armies have marched over, under and around barriers for centuries. The lever of asymmetric warfare is the exploitation of real and virtual weaknesses. If spies and covert actors are not already in your midst, recruits should be expected.

At some point, all IT systems will be breached. The question is, what is your plan to mitigate the effect when it happens to you?

  • Do you have containment, eradication and recovery plans?
  • Have you optimized your response processes with (1) a clearly defined command topology (2) observable and accountable action steps in a predefined workflow (3) communication protocols to address both technical and supporting roles of your organization, and (4) the right level of process automation?

A response plan is evidence of preparation.  And, preparation is more critical to quickly thwarting bad actors in your environment than several rooms full of cyber SMEs with “plans” stuck in their heads.

As the fog of war descends on a breached environment, a plan for the way forward is pivotal. As Colonel VanDriel recently postulated in Bridging the Planning Gap: Incorporating Cyberspace Into Operational Planning (2015).

if a commander…ignores (planning for) cyberspace, not only will that commander have ceded the cyberspace domain to the adversary, but the adversary can then proceed to undermine that commander’s effectiveness in the other four domains (of warfare). (

No plan is perfect to combat every iteration of the malevolence that threat actors will dispatch. However, in responding to a breach, a lot of people will need to get a lot of things done; frequently simultaneously. If you are spending time and resources during a breach deciding what should be done, you’ve likely wasted critical time and will commit unnecessary, unforced errors. Moreover, the more automated your predefined plan is, the more efficient it will be, with an auditable post incident taxonomy capture.