Why you need better incident response – and how to do it (Part 1)
- Posted on March 13, 2019
- Estimated reading time 2 minutes
This is the first of a two-part series on incident response (IR). In this debut post, we describe the risks of not being prepared, and the benefits of a fully-fledged IR strategy. In part two, we will cover the best practices for assembling and executing your own IR plan.
The ICMA Cybersecurity Research Report observed that more than 32.8% of systems face attacks, incidents, and breaches hourly. These figures are almost universally applicable to all forms of business, small and large. Corroborative reporting indicates that, while the number of attacks hasn’t increased, neither has it decreased for several years.
What is even more worrisome is that 62% don’t even know if they have had data stolen; 34% don’t know if records have been changed or if downtime was caused by malice; 29% don’t even know if they have ever been attacked.
Since these events are not going away any time soon, there is no substitute for practicing incident response exercises.
Failure to do so risks consequences, such as:
- Time wasted during actual incidents:
- Searching for IR documentation
- Identifying the correct Plan of Correction (POC) for the affected systems, services, or servers
- Identifying and contacting the correct approval authority
- Poor preservation of forensic evidence:
- Relying on analyst-dependent investigational procedures
- Hesitancy to contact key personnel during off hours
- Nonstandard incident resolution and/or unapproved solutions
The real value of IR exercises
It’s not much of a stretch to say conducting IR exercises is as important as industry training and certifications. Running frequent drills will make the proper response second nature. It’s those frequent IR exercises which are crucial to protect an organization, and to assure the readiness of your Security Operations Center (SOC).
This requires many hours to build a solid IR exercise. But the benefits are significant, including:
- Identifying security gaps in your data ecosystem, pro-actively
- Faster containment and recovery when (not if) intrusions happen
- Providing growth opportunities to the junior security team
- Keeping your IR plan document up-to-date.
The takeaway: IR is must for security readiness
To sum it up, IR is an essential part of security readiness because it helps you validate response procedures and exposes hidden processes; it integrates department responses and keeps those responses consistent with other teams. It also identifies gaps in IR process documentation and propagates new and better response practices.
We need to get better at incident responses, or quite frankly, the crooks will win.
In part two of this series, I’ll show you exactly how to prepare and execute a successful IR readiness strategy. Stay tuned.