Incident response is an important part of any cybersecurity program. There have to be protocols in place for when an incident occurs. One of the first things a startup should do when implementing cybersec measures is to draft an IR program. It’s not a question of “if” a breach or incident will happen, it’s a question of “when.” Being prepared is vital to having a successful outcome.
The most successful IR programs have a team of people who are in designated roles who come in and triage the incident immediately. They are a cross section of different facets of the company and are people who can hyper-collaborate and coordinate to triage quickly. They work within a cultivated pattern of trust. The size of the team doesn’t matter, it’s better to have people in the meeting from all areas because someone could have experience with something that’s not technically under their umbrella. They can help, or may offer to help, in an area outside of their job scope simply because they have prior contextual experience. But you won’t know that if they aren’t in the meeting. The IR team will follow the common steps: Prepare, Identify, Contain, Investigate, Eradicate, Recover, Follow up. Incidents are tracked and escalated as appropriate.
Anything that can be automated should be automated. The fewer people you have to wake up in the middle of the night, the better. Ideally, 100% of all immediate incident responses should be automated, where no one wakes up in the middle of the night, and a report is waiting at the office in the morning. When you see what action has been taken by the system, you can then diagnose a weakness and make adjustments as needed. The key to automation is knowing what normal is and setting parameters so that anything outside your normal is caught and reacted to.
Successful organizations have an automated ticketing system that’s confidential where data can be kept. You can keep track of where you are in the process of responding to the incident, ensure proper follow-up and that the right people have access to necessary information quickly.
You want to keep records of events so that if you keep getting variations of an incident, you can anticipate more variations. You can begin to observe patterns cutting through the noise of security data overload. But you really have to know what normal is first. It’s knowing what is normal and reacting to anything outside those parameters. Anything that is abnormal is at least an event, and events need to have some kind of response or investigation to determine if it’s an incident.
A good IR practice will illuminate these patterns throughout the company. Events surface into incidents for the IR team to investigate from staff across the company, who are actually recording events. For instance, a team finds something suspicious on their servers which don’t have appropriate automated logging and monitoring. That incident is something that should be escalated because the team who found the incident may not necessarily know how to respond to it correctly. Or more importantly what to do post eradication, like having an automated response set up so that if that breach repeats you don’t continue to have repeated incidents.
Using managed services is really important and consequential as well. Anytime you think that there is a potential for an inside actor, you should always be looking at a third party service. Anytime you think that you’re internal team may have hit the limits of their qualifications or you need to respond quickly, and you don’t know if you have the resources or the response, you should have a 3rd party incident response team that is available.
There are also third party managed services for monitoring your SEIM system, which is your incident and event management system. Events are being registered, logs are being registered and you’re looking for anomalies. And there are services that can manage surveilling the SEIM, 24 hours a day, seven days a week. However much of SEIM surveillance can be automated without needing a third party managed service.
For response teams on the ground, if they are dealing with a series of events in succession or very specific information is being targeted by attackers, it’s probably a good idea to have a 3rd party managed service who are experts in this field and do IR all day long augment or take over for the IR team. At minimum just having a second set of eyes from outside the company to give a different perspective, can be useful it preventing further attack escalation.
The bottom line is that speed matters, the slower your response, the worse the damage will be. The worst response is no response at all, so if that means you hire a third party, then that’s what you need to do.
Incident response is an important part of your business and should be integrated at the foundation. Remember, every business will experience an incident at some point in its life. Ensuring that the proper procedures are in place before an incident happens is vital to the survival of your company.