Many companies have an incident response plan that may look great on paper but they have not tested the execution. Key stakeholders must agree on the strategy, evolve it over time and be able to implement it confidently during an incident.
An example of an incident response plan is aircraft companies spending millions of dollars on mechanical and avionics systems to maintain and improve aircraft safety. But they still enable the installation of life vests and emergency escape chutes. Airlines train flight crews on emergency procedures and passengers receive training before every flight. Your security program should prevent as many attacks as possible but you should also prepare for attacks that slip through your defenses.
Here are six areas of an effective response plan:
A suitable reporting structure across your team is crucial due to the fact that roles and responsibilities are reinforced by leadership regularly. Governance is more than compliance with application regulations and laws. It includes ensuring that the security team’s structure aligns with the organization’s overall goals and mission statement, supported by employees who understand their specific roles during an incident. It is crucial to detail job duties and relationships of personnel across the entire incident response plan and identify potential conflicts along the way.
A successful incident response plan depends heavily on quickly sharing information with the appropriate internal and external parties. Whether this is another department within the same organization or a third party outside the company, including security vendors, government agencies and law enforcement.
Defining incidents by category or severity is a requirement for effective communication. This expedites notification to the appropriate leaders and making sure the response plan defines which leaders and levels of management to alert as an incident unfolds. If you don’t communicate fully and effectively, you aren’t responding effectively. Organizations should never assume proper communication will occur naturally.
Do you know what is happening on your network every day? This is vital. Technology and processes should provide visibility throughout your company to quickly detect and scope incidents to scale. Being aware of your threat landscape will enable you to quickly defend your company’s critical infrastructure.
An effective way to measure visibility is through your ability to tract activity logs for many network security appliances. Logs alert your security team with unauthorized users are in your network or when an attack is already underway.
You can reveal blind spots by assessing your visibility. An example would be if a group in your company is granted exemptions from certain security requirements to speed up network processes, their networks may not be fully visible to the security team. Understanding what your network is supposed to look like better equips you to spot activity that doesn’t belong.
A detailed understanding of attacker tactics, techniques and procedures dramatically improves the quality and speed of your response. While this information is not always easy to obtain, gaining this insight helps you better anticipate their next move. Some cyber threat intelligence comes from aggregating publicly available information from online sources.
News stories and blogs share information on well-known attacks, details of how they unfold and what steps you should take to protect your network from them. A security team should never rely on publicly available information alone, however.
How you respond when an actual incident occurs is the ultimate test of your security posture. Your response plan must identify the processes and technologies that your cyber incident response team uses to identify, categorize, investigate and remediate security events. Before an incident occurs, you need to answer these key questions:
- Did your team receive suitable training to respond effectively and efficiently to an incident?
- Does your company have the right hardware and software to respond across your enterprise?
A security plan on paper is only part of the solution. Relying on institutional knowledge rather than the written plan can result in poor security behavior, especially if key personnel are absent or never-before-seen threats appear.
How effectively and efficiently does your company respond to incidents? This is metrics. Metrics should include the following:
- After you identify a breach, how long does it take to fully remediate and remove the threat from your environment?
- After the attack has been contained, how long does it take to fully re-mediate and remove the threat from your environment?
Metrics objectively measure how efficient your people, processes and technology are throughout the system that can be tracked and automated. The process is geared toward steady improvement and goes smoothly when the incident response performance metrics align with security and business goals.
We’re happy to answer any of your questions and make sure your company is on the right track in preparing for a cyber-attack. Give us a call or schedule a meeting directly from our website!
Phillip Long - CISSP, CEO of BIS Technology Group, along with his team of marketing and information technology experts, will walk you through an overview of what your business should be doing to protect your data and plan your digital marketing strategies.
About BIS Technology Group
BIS Technology Group is the technology leader on the Gulf Coast and is comprised of four divisions: Information Technology, Web Design & Digital Marketing, Office Equipment and Business Consulting. Together these divisions help local businesses exceed expectations and allow them to group to their full potential while minimizing risks. To learn more about BIS Technology Group, visit bistechnologygroup.com.
You may reach out to us at: