With each major public data breach our attention focuses on how to prevent these incidents. A good example is the recent security breach at LinkedIn, in which millions of passwords were stolen. Industry experts and the media immediately started to dissect what LinkedIn had done wrong or what methods or tools should have been used to prevent the incident. Unfortunately, at some point every organization will be faced with a security breach. This raises the question — are security professionals focusing on prevention at the expense of damage control preparation?
Incident response management can be described as the oft-neglected flipside of the security coin. When done right, like in the case of LinkedIn, incident response management becomes another weapon in an organization’s prevention arsenal — in this case prevention is focused on limiting material or reputational damages caused by data breaches. LinkedIn’s response was swift, offered sufficient information about the scope of the breach, as well as measures that it had been taken to minimize the impact on its user community. Thus, the company’s valuation did not suffer as illustrated by its steadily climbing stock price.
So what are the basic requirements and planning involved in developing a pro-active incident response plan?
The Basics
Incident response management is an organized approach for addressing and managing the aftermath of a security breach or attack — aka an incident. The objective is to manage the situation in a way that minimizes damage and reduces recovery time and costs. As part of incident response management, an organization should establish a policy that defines in detail, what constitutes an incident and provides a step-by-step process to be followed when an incident occurs.
The US-CERT and SANS Institute have assembled best practices related to the creation of an incident response team. This carefully selected group should, in addition to security and general IT staff, include representatives from legal, human resources, and public relations departments.
According to the SANS Institute, there are six main steps to handling an incident effectively. The preparation phase includes policy development, logging review guidelines, disclosure practices, tabletop exercises, compliance integration, and ongoing training of users and IT staff. Steps two through five focus on how to respond to a security breach itself and are broken down into identification, containment, eradication and recovery.
These steps entail incident classification, digital forensics, malware analysis, system restoration, and public disclosure. The final step is related to post-incident analysis, which is important for identifying lessons learned, document gaps, and necessary enhancements using a closed-loop process.
To successfully implement a pro-active incident response management process, securing buy-in and support from senior management is required. Incident response management needs to be taken seriously and cannot be treated as an ad hoc process that can be abandoned in the next round of budget cuts.
When the Rubber Meets the Road
This all sounds straightforward and should be simple to implement — at least on paper. However, this process typically breaks down when an incident occurs and a response is required. For example, will members of the incident response team remember their duties and fellow stakeholders when they receive a call on a Saturday at 4 a.m.? The answer most likely is no. So what makes incident response management in the field so difficult?
Policies and stakeholder information are often contained in multiple and dispersed documents, which makes it challenging to quickly access when a security breach occurs. This results in a delayed response. Furthermore, a manual incident response process requires human interaction to share information and alert stakeholders, which leads to further response time delays. The basic lack of alerting and escalation functions often leaves an organization vulnerable.
Another major pain point is prioritizing the remediation response. It is particularly important for organizations to determine the order in which the incident remediation needs to occur. This should be done based on the risk and business impact. With no automation solution in place this calculation is simply not possible. Once the organization has determined its incident remediation strategy, the next step is to track how long the remediation will take, who is responsible, and who will take action. Without interconnectivity into remediation systems and a centralized repository of this data, it becomes almost impossible to determine how effective the remediation actions have been.
Ultimately, the biggest challenge associated with incident response management is documenting the entire process. In many instances, once the incident is identified by one group, the remediation actions are executed by a different group. Typically, there is no audit trail to track the remediation efforts or a process designed to centralize all related documents in one repository.
Taking It to the Next Level
It’s clear that relying solely on human interaction and dispersed systems can lead to major deficiencies that can slow down an organization’s responsiveness. This will ultimately impact its public reception and escalate damages caused by a security incident. To overcome these shortcomings and streamline the overall process, progressive organizations are leveraging incident response management software. This allows for automation and centralization of the incident response process and creates an audit trail for compliance reporting.
Advanced incident response management software helps organizations collect data from a variety of security and IT tools as well as other applications such as Microsoft Excel spreadsheets. It then aggregates the data and automatically calculates the preliminary risk and business impact, enabling an organization to prioritize the response plan actions and timing.
These systems also route and assign incidents based on type, severity, or affected assets; alert the assigned stakeholders and provide for escalation if needed. Ultimately, all remediation efforts are tracked and all of the collected data is leveraged to measure controls and policy effectiveness as part of the incident post analysis.
By automating and centralizing manual processes, organizations can take a proactive approach to data breaches, transforming incident response management into a preventive measure much the way that LinkedIn did.