When you fail to plan, you plan to fail. And according to a plurality of veteran security experts, far too many organizations today plan to fail at cyber incident response.
That's because when it comes to responding to security events and full on breach crises, many organizations today still lack any kind of documented procedures for containment, triage, escalation, mitigation, or recovery from a security incident, let alone policies for handling breach notification and communication. The absence of an IR plan is by far the number one mistake named by security pros when asked about the pitfalls of running an incident response team. Number two was failing to test the plan once it is written.
In order to help organizations gain greater awareness of this fundamental problem in incident response and SOC management, we recently got a range of cybersecurity experts to weigh in on why a lack of planning is hurting incident response and to offer tips on how to best build out this key document for its security team.
Why Many Orgs Fail to Draft an IR Plan
"Unfortunately it is the same old story. Organizations are often not prepared to respond – they lack a defined containment and response strategy, or don’t having appropriate escalation plans."
"Our incident response teams have also seen a general lack of understanding from clients of the threats they face when responding to a breach. Several factors drive this general lack of understanding:
- No strategy has been applied to the incident response program, instead relying on a set of tools enabled with default settings that create a false sense of security.
- Lack of visibility into network traffic and endpoint data
- Over-reliance on legacy alerting tools to identify the 'Critical and Highs' without a focus on the rules associated with those detection devices
- Siloed information from different products or tools, without a correlated view of the security posture on a 'single pane of glass.'"
--Andrew Howard, CEO, Kudelski Security
What A Cyber Response Plan Should Include
"A solid plan should have three main elements:
- Preparation, an ounce of preparation is worth a pound of response – establish relationships pre-need, educate, and exercise
- Response, Isolate, ID scope, stop the bleeding, preserve evidence, make necessary notifications, etc.
- Recovery, get back to as close as possible to business as usual as fast as possible
"Too many plans we see only have the middle element and, worse, only concentrate on the internal implications and capabilities. In all likelihood, there will be several areas in which even the most mature and capable of organizations need outside specialized help."
--Jon Murphy, Cybersecurity, Data Privacy, GRC Consulting Practice Lead, Alliant Cybersecurity
Deciding on Length
"Incident Response Plans can vary greatly in length depending upon all of the different scenarios that the document may be called on to address. Some that deal only with a cyber-security breach incident may not be that long, but those that are meant to address multiple scenarios—cyber-attack, virus or malware outbreak, ransomware attack, etc.—can be quite long and are typically broken down into segments that deal with each of the different scenarios. In the latter case, the document may well be 100 pages or more in length."
--Tom DeSot, executive vice president and CIO, Digital Defense
Make Sure The Plan Itself Is Privacy Compliant
"Some plans appear 'great' on paper, but when actually exercised create a plethora of additional data privacy and security concerns. For example, data collection, interviews, and storage of sensitive data must be treated with care and not violate other security controls like emailing sensitive information from one team to another."
"The response must be secure and the workflow established be prescriptive enough to ensure that no additional violations occur."
--Morey Haber, CTO and CISO, BeyondTrust
Thoughts on Testing The IR Plan
"Don't just have policies and procedures on paper, practice and exercise them, too. Just like a good athlete doesn't wait to get a hit, catch a touchdown pass, or score a goal – they practice it. The C-Suite, technical team, and everyone in-between should participate in these rehearsals to best facilitate the necessary coordination, ensure all parties know their role in the IR process, and better enable informed decisions in a timely manner:
- Hands-on training exercises allow organizations to test both their personnel and their technologies, and stay current on trends/ techniques to counter as attacks get increasingly sophisticated. By replicating their own infrastructure/ technology stack and simulating relevant attacks, this type of training often leads to findings on how to tune internal systems and tools based on the abilities of the team and weaknesses of the infrastructure.
- Table-top exercises allow organizations to practice their internal communications, evaluate the decisions that will need to be made, decide when a third-party IR team or law enforcement officials need to be engaged (based on compliance with breach notification laws), and anticipate litigation/ develop appropriate documentation or reporting standards or templates."
--Ken Jenkins, CTO of By Light Professional IT Services' Cyberspace Operations Vertical
Don't Forget To Update The Plan After An Incident
"It is important that when an incident occurs that the knowledge and preparation is put into effect by implementing the procedures ‘by the book’ and rolling lessons learnt back into the process. IR programs that live and breathe are dynamic and capable of adaption when new threats and risks emerge."
--Andrew Bassi, Principal Forensic Consultant, Pen Test Partners
Make It A Framework
"Ensure that the plan actually establishes a framework for end-to-end response, not just covering the actions that happen once something is detected or identified, but also defining what will happen post-incident to drive self-improvement.
"IR plans are meant to capture details like policies or high-level standards. It's important that the IR plan spells out what the criteria are for invoking the plan and escalating some kind of alert or event to the point where the IR team is engaged, preferably prioritized based on some kind of risk assessment."
--Curtis Fechner, Technical Director, Threat Management, Optiv