Planning for the Breach: Part 2
Regulators, breach costs (and soon insurers) are driving Incident Response (IR) requirements and the evolution of standards around breach preparation and containment. Technology, however, will play an increasingly important role in bringing solutions that respond to regulators, litigation-driven costs, post-response audits and insurer standards as well as the expense of training, and operating an efficient IT team.
Technology and the Team
Many of the established network appliances are beginning to add “Incident Response” modules into their framework. These, however, fall short of providing a solution that can seamlessly integrate all other devices. The flexibility of the “bolt-on” IR solutions to the myriad environments of users is further limited by proprietary development code.
Organic IR platforms are beginning to emerge. They should be seen as more than just another network tool, since in their best use-case they provide an environment for an integrated security platform. If today’s network security tools best resemble a patchwork of the latest weapons to fight the last war, the best-of-breed IR platforms can bring true Command, Control, Communications, Computers, and Intelligence (C4I).
At the heart of technology’s support of IR is enhancing the efficiency of operations. Moving beyond the management of incidents by spreadsheets, email, screen-jockeying and ticket-tracking is just the beginning. A security middleware can optimize personnel services, with repeatable workflows reducing on-boarding requirements for new personnel, reducing human error of incident responders, and creating a framework for both pre- and post- response training and learning exercises. Discrete machine-to-machine automation brings an additional advantage to the single-platform C4I, while a repository source of detailed information can be leveraged to support a wide range of role-based access, deployment, audit, regulatory or firm-driven environmental requirements.
The best of the category-creating Incident Response technology solutions:
- Are vendor agnostic, providing visibility and ingesting data and threat metrics from the disparate range of security network and application elements
- Establish a single-pane platform for security program management and full life-cycle security operations
- Automate incident response playbooks corresponding to pre-established workflows that notify and track the progress of responsible parties (including escalation hierarchies). Workflows accommodate the movement of incident response from technical activities (systems, data, assets, containment, eradication) to business processes (customers, services, impact, internal and external notifications) and post-recovery analysis.
- Create a real-time central communications platform (computer, encrypted SMS and/or voice) with an automated coordination and documentation process specific to each event/incident.
- Make IR practices (both technical and supporting) repeatable and evolutionary (based on complete incident record maintenance and after action analysis).
- Easily customize ingested data from security tools into a user interface that corresponds to any corporate security (regulatory) environment (requirements).
- Provide for bi-directional communications between the IR platform and the various security devices.
- Incorporate investigation and forensics activities in a single source, capturing, storing and aggregating detailed evidence on the history of events, responses, mitigation, assets and persons in the network.
- Enable SOC teams with event correlation and data intelligence capabilities.
- Monitor patch management to ensure asset security patches are tested and implemented within established criticality time frames/thresholds.
- Provide a framework for desktop training and drills to pre-plan and practice incident response.
- Contain a recovery platform with root cause analysis and documentation reporting from all data sources in the security network. Identifies gaps in preparation and execution plan and determines what methods and tools might help in the future.
- Enables active threat information sharing with ISCs, ISAOs or directly to other trusted entities and capable of using standardized languages for threat information.
As the security mindset becomes increasingly proactive, leveraging the advantage of IR technology will be pivotal to containing the inevitable. Are you ready for the breach?