From my past articles, you can probably tell that I like to preach about focusing on the basics of security management rather than the latest shiny security tool. Things like vulnerability management, identity and access management, security awareness, etc. all help lower risk and improve security if mastered. However, if you are the target of focused hackers, you better have sound response capabilities or the incident could be devastating to you and the organization. For this reason, incident response needs to be a major focus in 2015.
Unfortunately, the majority of security professionals spend most of their time trying to implement the latest protection solutions and ignore their response capabilities. With the breach-happy environment of today, an equal amount of effort must be applied to incident response so the impact of issues can be reduced. If you are rusty or never bothered to work on incident response capabilities, take the time to dust off your best-practice-of-choice to determine where you stand:
Major security best practice/frameworks all have an incident response component:
NIST Cyber Security Framework: RESPOND (RS)
ISO27001: Information Security Incident Management Objectives
NIST 800-53: IR-Incident Response
SANS Top 20: Incident Response Management
Reviewing your current documented incident response processes is a great place to start. Unless you have been reviewing these processes on a regular basis, there most likely are gaps that need to be addressed. Some common pitfalls of documentation include:
- Outdated/Decommissioned technologies are referenced
- Organizational changes have occurred
- Contact information is out of date
- Security tools no longer work as expected
- Security tools need optimization
Incident Response Detection, Documentation and Testing
Your ability to detect incidents and be notified about incidents is definitely an important component to review as well. When evaluating the technical components of your plans, take time to fine-tune the technologies that play into your response plans. This includes both the systems that are at risk as well as the security systems designed to protect your systems. Log/Audit settings should be optimized and notification criteria must be accurate. If millions of alerts are being sent out today, your security team is probably ignoring or missing meaningful events. Fine-tune the settings to ensure only appropriate alerts are reaching your teams.
While updating documentation is needed, TESTING of an incident response plan is critical to validate everything works as planned. It is rare that a documented plan encompasses every scenario, so the only way to learn about gaps is to actually test the plans. Incident response tests should be performed regularly with different test scenarios to validate the plans work as expected. Without testing, you are almost guaranteed to respond poorly during an actual event. Testing also needs to involve the business so they understand their reporting responsibilities.
Speaking of reporting responsibilities, effective incident response depends on knowing about the incident in the first place. Embed incident reporting requirements into security awareness/education initiatives so workers know how and when to report potential incidents. In many instances, the end-users are the first line of defense, so an educated workforce goes a long way in limiting impacts of a breach.
It isn’t necessarily fun work, but incident response is a critical component of every security program. Now, more than ever, security organizations need to validate that they can respond effectively during security incidents even when operating with reduced staff. When response processes are ignored or misinterpreted, your career and your business certainly suffer.
Learn the role IT automation and business driven self-service administration play in creating lean operations. KuppingerCole’s Assignment Management — Think Beyond Access describes the shift in IT operations from tightly controlled identity management processes to workflow enabled administration.