The best incident handling plan is one that can be formalized. It means that the plan has been reviewed and approved by the concerned authority, shared on media, circulated and made available to the company’s staff, and is subject to changes whenever required. The plan should have more than one version and the basic version should be made available to all staff so that everyone knows the steps that they are expected to take in the event of a security incident. The main plan should be shared among managers and people who form the incident handling and response team.
The 13th Annual Cost of a Data Breach study by IBM showed that the impact of a data breach on an organization costs approximately $3.86 million, which could be higher in the case of a larger breach . The success of an incident response plan would result in reduced financial burden on organizations. In another research by IBM, on incident response and intelligence services, it was found that an effective incident response can reduce the cost of a breach by $14 per compromised record compared to average per capita income of $148 .
A successful incident handling and response plan shall excel in five areas—
Having a clear vision of the security products deployed in an organization creates a strong foundation for any incident response management system. Aggregation of data feeds is required from open-source products or from in-house deployment. While deploying the incident response system, ensure that it is aligned with existing security products and protocols. Few security products support the incident response plan by default. However, the plan should be flexible enough to include bidirectional integrations with the security products that do not support the incident response plan by default.
The bidirectional integrations are vital in initiating orchestration and full automation, but full bidirectional integrations are not necessary for every technology especially with simple alerting and detection technologies. Such simple technologies can suffice with unidirectional event forwarding integration. Also, ensure that methods of event forwarding and data transfer such as database connections, APIs, syslog, emails, and online forms are supported.
2. Incident Management
A good incident response management system should be able to manage the entire incident response lifecycle and enable the automation and orchestration of security products that are used by the organization. The incident response system should be able to manage basic management like tracking cases, record-keeping of the actions during the incident, and reporting on key performance indicators.
An advanced incident response management system would be able to:
- Perform objective tracking
- Track the action plan, including assigning the task, tracking total time spent, and updating the status of every task
- Track all physical and virtual assets that are involved in the incident
- Perform phase tracking
- Track evidence and indications, also correlating and sharing them
- Document management and reporting
- Maintain evidence and custody management
- Perform time and monetary tracking
3. Process Workflows
As seen, the crucial elements of incident response are the orchestration and automation of security products and work process. This would result in reducing repetitive tasks and allowing analysts to improvise their efficiency.
The workflow process can be organized using any of the two methods, viz., flow-controlled workflows or linear-style playbooks. Both methods carry their own advantages and disadvantages and whatever you implement ensure its application with respect to incident response system. The process of workflows should be able to support both integrations—built-in or customized and tasks that are manually defined for an analyst. Incident response lives and dies by a repeatable process and workflows that are captured in playbooks or runbooks which are often audited. Every step of an incident from type to the action of the investigator is documented in the books so they are critically important.
4. Co-relation with Threat Intelligence
The key element of a good incident response system is its ability to incorporate the feeds of threat intelligence. When an incident response system is able to correlate with threat intelligence, it can be effective while discovering potential vulnerabilities, attack patterns, and other risks that the organization is exposed to. Having an automated correlation with threat intelligence helps identify ongoing incidents that are similar to earlier incidents.
5. Collaboration and Information Sharing
Incident response is not a one-man show and involves participation of different teams and their members individually. To establish a seamless collaboration and fluent information sharing across all the teams and stakeholder, the incident response system should integrate a highly effective environment. Authorized personnel like management and stakeholders should be updated regularly with the status of the implementation of incident response, details of the incident, and allocation of tasks to the team members. The communication mechanism should be channelized to access updates on the incident response activities. Information sharing should also be channelized to related external entities like law enforcement agencies. An effective information sharing channel would contribute a lot in combating cybercrime.
Establishing these five elements in your incident handling plan ensures that your organization is equipped with a program that can detect, analyze, contain, and mitigate a breach before it turns into a massive disaster.
Do you want to be an incident handler and work on a containment plan to reduce the cost of damage and mitigate further incidents? Join the industry-recognized credential program, EC-Council Certified Incident Handler (E|CIH). The latest iteration of E|CIH program has been developed in collaboration with cybersecurity and incident handling response practitioners across the globe. It is a method-driven program that covers the concepts from preparing and planning for incident handling response to recovering organizational assets after an incident occurs. Learn more about the E|CIH at https://www.eccouncil.org/programs/ec-council-certified-incident-handler-ecih/.
Sources https://www.ibm.com/security/data-breach  https://www.ibm.com/security/services/ibm-x-force-incident-response-and-intelligence?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US