Are you prepared to manage a security incident?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/article.php?id=2036

It’s the year of the breach. Adobe, Target and eBay fell victim to
cyber-attacks and 2014 has already seen the Heartbleed bug impact the
majority of organizations across the globe. With attacks getting more
advanced and hackers getting smarter, businesses across all sectors are
potential targets. It’s a case of when, not if, your company will be hit.

Appropriate incident response is therefore critical for minimizing the
impact of a breach, yet 77% of organizations do not have an incident
response plan at all according to a recent NTT Group report. This raises
the question: are you prepared to manage a security incident?

A change of plan

With incidents increasing in frequency, businesses are spending more time
and money on remediation – often working in the eye of a corporate storm to
resolve issues at the same time as trying to maintain business as usual.
Complex threats such as APT (Advanced Persistent Threats) are difficult and
time-consuming to unpick and may require specialist knowledge and resources
to comprehensively resolve. The problem is that businesses are turning a
blind eye to the importance of defining and testing an incidence response
plan.

It’s time for businesses to treat information security breaches as part of
their business continuity planning, which means confidently managing
incidents in an efficient, low noise, repeatable manner. By having a
well-defined plan, and recognizing that security incidents will happen,
organizations will be better prepared to handle incidents effectively and
consistently.

Any company that suffers a breach certainly would not want to repeat the
experience and, by improving the maturity of its incident response plan, it
will reduce the risk of future incidents as well as reduce the financial
and reputational impact on the business.

What does an incident response plan look like?

An incident response plan is a formal process that defines what constitutes
an incident and provides step-by-step guidance on how to handle a future
attack. In order to limit damage and reduce recovery time and cost, it
needs to be kept up-to-date and then socialized among all of the involved
parties. Furthermore, tests should be carried out regularly so that people
understand their roles and responsibilities.

Good incident response starts with good risk insight and understanding of
information assets.

Not all incidents are of equal impact so every business must be able to
classify an incident that occurs. This can be done by establishing a
comprehensive and real-time view of network activity, which will enable an
IT team to quickly recognize that its company is under attack – and then
consequently implement a clear plan for appropriate remedial action.

Incident response must be designed with an organization’s goals and
compliance requirements at the forefront. The right intelligence on the
impact of any incident will drive a proportionate response and focus
resources to minimize damage and disruption. This way, those affected will
be able to resume business as quickly and smoothly as possible.

Ultimately, the route to better preparation is to build a structured plan
that clearly articulates the approach, benefits and measures for
application risk reduction. With a clear understanding of the business and
technology infrastructure, an IT team can perform network and host based
forensic investigation into incident, provide incident management
capability and deliver summary post incident report and recommendations.

The role of compliance

It is vital to understand where compliance fits into a company’s incident
response process and put in place a clear procedure to meet the specific
obligations for reporting incidents. This means knowing when and how to
notify law enforcement or specific industry regulators and, for
multinational companies, navigating through the regional variations,
complex privacy laws and notification requirements.

Establishing policies to share with other parts of the business affected by
a breach – whether PR, business continuity, risk or customer services teams
– is therefore crucial. Although it is not always essential to share
information about a breach with a company’s customers and partners, it will
be necessary to define and communicate a policy internally. It all depends
on the nature of the incident and how early the IT team can understand and
communicate what it is and what remedial action is being taken.

As security breaches naturally result in some finger pointing,
organizations should take advantage of internal collaboration to nurture
the incident response process. There is real value in using high visibility
exercises such as rapid response communication drills and tabletop
exercises, which involves simulating potential incidents to improve
awareness and define roles and responsibilities beyond the information
security teams. As a result, organizations will often see a heightened
sense of joint responsibility for effective resolution.

Don’t do it alone

Mature incident response does not necessarily mean spending more on
technology. Most organizations already have in place the technology they
need and this includes data loss prevention, perimeter defenses, and log
management.

What is often required is a trusted provider to help them implement an
incident response plan by developing the process and people to effectively
respond to an incident. This might involve working with customers to
establish what skills they already have, what they would need if they were
breached, and where they would go for help.

The beauty of outsourcing is that it provides and augments the in-house
skills of an organization and enables that organization to focus on
building and developing its business, while the outsourcer provides the
information on risks to enable the board to understand, prioritize and
manage risks and make informed decisions.

If a business with no in-house capability suffers an incident, a trusted
provider that is deployed would be instrumental in developing its incident
response plan. The consultancy might involve:

Establishing incident management capability – incident handlers and
technical analysts determine the process structure to handle the incident
on the client’s behalf.

Analyzing forensics and containing the incident – analysts investigate,
identify, analyze and contain the cause of the incident.

Providing incident resolution – rapid response team provides support and
guidance to the client to resolve the incident.

Wrapping up the incident – trusted provider closes the incident and wraps
up affected on-site activities.

Delivering incident report and roadmap – support team supplied report, post
incident, along with a tactical roadmap of recommendations to reduce future
risk.

Moving from reactive to proactive

It’s evident that faster, more efficient incident response will minimize
the impact and cost of an incident and protect a company’s data. By
enforcing a dedicated response team, and maximizing the value of existing
technology investments, every business can plan and execute a mature
incident response strategy well. After all, if it is your company that is
targeted, you will want to see the fastest and most efficient return to
business as usual.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!