Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Strategic Incident Response: The Art of Choreographed Reaction

Making Incident Response a Top Priority and Developing a Policy and Process Can Limit The Damage Caused by a Data Breach.

Making Incident Response a Top Priority and Developing a Policy and Process Can Limit The Damage Caused by a Data Breach.

In today’s increasingly interconnected business environment, data breaches have become a fact of life. The recent massive breach at Target is just the latest example. But a breach no longer has to sound the death knell for a business. How an organization responds to a breach determines the financial and brand impact it will have. If it’s done wrong, there can be significant financial and reputational repercussions. If it’s done right, a business impacted by a breach can actually draw praise from customers, business partners, and regulators. So what steps are required to handle a breach and how do you implement them in a well-choreographed fashion so that your organization can respond to any incident?

Even large enterprises with million dollar budgets are not immune to hackers and information theft. One good example was the widely publicized breach experienced by Adobe Systems where information on 38 million customers was illegally accessed and source code for several of its products was reportedly stolen. This was a potentially disastrous incident; however, Adobe’s response demonstrates that when done right, the company’s brand and financial position can remain solid. Adobe choreographed a swift response. They provided sufficient information about the scope of the breach and the measures they were taking to minimize the impact to customers. As a result, the company’s valuation did not suffer. In fact, Adobe’s stock price increased the day after the breach was announced.

Data Breach Response Best PracticesUnfortunately, not all organizations have such a well-oiled incident response management program. A prime example of incident response done wrong is the breach that targeted the Department of Revenue of South Carolina. After being informed by the U.S. Secret Service of a data breach that involved 3.8 million Social Security numbers, 3.3 million bank account numbers, and information for nearly 700,000 businesses, the Department of Revenue of South Carolina allowed more than two weeks to lapse before they informed the public. Then Governor Haley fumbled. She initially told the public that the breach was sophisticated and couldn’t have been prevented. When it became obvious that the agency had not implemented even basic security measures, such as encrypting the personal (and regulated) data on its citizens, she was forced to back-pedal on her earlier statements, making her appear either deceitful or ignorant. The subsequent fallout included the firing of several high-ranking agency employees and cost the state millions of dollars in compensation for fraud alert services.

So what steps can be taken to implement and leverage incident response management as a valuable weapon for limiting material or reputational damages associated with data breaches?

Organizations should begin by establishing a policy that defines in detail what constitutes an incident and laying out a step-by-step process to be followed.

First, gather the right people to form the incident response team. US-CERT and the SANS Institute have assembled best practices for creating an incident response team. This group should include security and general IT staff as well as representatives from legal, human resources, and public relations departments.

According to the SANS Institute, there are six main steps to handling an incident effectively. The preparation phase includes policy development, logging review guidelines, disclosure practices, tabletop exercises, compliance integration, and ongoing training of users and IT staff. Steps two through five focus on how to respond to a security breach, including identification, containment, eradication, and recovery. These steps entail incident classification, digital forensics, malware analysis, system restoration, and public disclosure. The final step is post-incident analysis, which is important for identifying lessons learned, document gaps, and necessary enhancements using a closed-loop process.

To implement and sustain a winning incident response management process, senior management must be on-board. Incident response management doesn’t work well when it is an ad-hoc process that can be abandoned in the next round of budget cuts.

On paper, incident response management sounds straight forward and should be simple to implement. However, the rubber meets the road when an incident occurs and a response is required. Will members of the incident response team remember their duties and fellow stakeholders when they receive a call about an incident on a Saturday at 4:00 a.m.? In most organizations, the answer is no. Why is incident response management in the field so difficult achieve?

Policies and stakeholder information are typically contained in multiple and dispersed documents, which makes it challenging to quickly access when a security breach occurs. This can result in a delayed or inappropriate response. Furthermore, organizations that use manual incident response processes must rely on human interaction to share information and alert stakeholders, which can delay response times even further. This basic lack of alerting and escalation functions often leaves an organization vulnerable.

In the midst of a breach, it is extremely difficult to effectively prioritize the remediation response. In today’s dynamic risk ecosystem, even smaller organizations face hundreds of incidents on an ongoing basis. Organizations must determine the order in which the incident needs to be remediated. This should be done based on the level of risk and business impact. Calculating risk and business impact is difficult, if not impossible, without input from and analysis across the organization’s infrastructure. Automated tools can assist with risk determination and prioritization. Once the organization has determined its incident remediation strategy, the next step is to track the process of remediation – how long it will take, who is responsible, and who will take action to ensure remediation is accomplished within the timeframe established.

Ultimately, the biggest challenge associated with incident response management is documenting the entire process. In many instances, once an incident is identified by one group, the remediation actions are executed by a different group. Without interconnectivity into remediation systems and a centralized repository for capturing this data, it becomes almost impossible to establish an audit trail and determine how effective remediation actions were, whether they were brought up to compliance, or how they could be or must be improved or rectified.

The fact that organizations are relying on human interaction and dispersed systems can lead to major deficiencies and slow down an organization’s responsiveness. To overcome these shortcomings and streamline the overall process, some organizations are turning to incident response management software.  A software-based approach helps organizations collect data from a variety of security and IT tools as well as other applications such as spreadsheets. It can aggregate the data and calculate the preliminary risk and business impact, enabling an organization to more effectively prioritize their response plan actions and timing. These systems also route and assign incidents based on type, severity, or affected assets; alert the assigned stakeholders, and provide for escalation if needed. Ultimately, all remediation efforts are tracked and all of the collected data is leveraged to measure controls and policy effectiveness as part of the incident post-analysis.

By making incident response a top priority and developing a well-documented policy and process that is understood by stakeholders, organizations can limit or even prevent reputational and share price erosion caused by a breach, as was the case with Adobe. Using software to automate and centralize manual incident response management processes can help reduce human error to ensure a timely, well executed response if a data breach occurs.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.