Immediate and Effective Incident Response

By ivision October 9, 2020

It’s 3:41 a.m. on a Tuesday and the phone rings. You answer, wiping the sleep from your eyes, and are greeted by one of your security analysts telling you, “We have an active, organization-wide security incident. We need all hands on deck immediately.”

For a great many individuals or organizations, this situation can instill immense and immediate fear and anxiety. Questions immediately arise. What is going on? What needs to be done? Are our clients impacted? What do I do?!

According to IBM Security, over 50% of organizations wait until they have experienced some kind of major business disruption to figure out the answers to these questions and properly implement a realistic and functional incident response process.  Unfortunately, waiting to prepare until you’re faced with a threat significantly increases the potential for impact to your business or reputation.  Lack of clear process and guidance can lead to situations where best intentions end up making the situation worse, or, in even more egregious cases, can lead to actions that can make full resolution unattainable.

As malicious threat actors attempt entry into protected and privileged environments, continuously adapting the ways they try to do so, functional response procedures and plans become even more imperative.  It’s important to recognize that every organization will be equipped with a unique set of tools, processes and services that inform their response process. Organizations quickly learn that most “template” incident response plans are inadequate or, at best, require significant modification to be implemented successfully into their specific environments.  Additionally, the processes alone are not enough. Organizations must ensure that these plans are tested on a consistent basis to ensure that all involved parties are thoroughly versed in their responsibilities in such a scenario.

Ultimately, the goal of a fully implemented incident response plan is to provide clear and concise guidance for all members of the incident response team in any type of crisis.  These plans must be tailored accordingly, specifically catering to the most important parts of an organization.  This may be confidential information or trade secrets in some cases, protected healthcare or financial information in others, but the ultimate goal remains the same: protect important information from threats, and react immediately and appropriately to remove risk and reduce scope during any incident. 

If your organization is implementing or managing an incident response plan, make it a point to consistently ask yourselves these questions:

  • Are my plans current? Have they been reviewed recently enough that they are topical for the current business and threat landscape?
  • Are my key resources informed and knowledgeable of the policy and process?  Can I rely on them to know what must be done and effectively execute it in full compliance to our process?
  • Is my incident response plan effective in its targeted goals?  Does the implemented process and policy result in efficient and effective remediation or resolution of an incident?
  • Am I meeting all required regulatory or legal requirements for data disclosure in the case of incidents involving data breaches?
  • Am I testing this process on a regular basis to identify and resolve functional gaps in its design?
  • Am I properly tracking the key performance indicators or metrics that can adequately measure the efficacy or efficiency of this process?

These types of probing questions can help you determine where your existing processes might not meet your needs and can assist in uncovering unknown gaps that introduce unexpected risk to your environment.  Additionally, asking these questions during the development of an incident response process can assist in ensuring you end with a realistic and pragmatic process that is tailored to your needs and skill sets and can be implemented quickly.

No one likes getting the calls in the middle of the night that an incident has occurred, but with some diligence and practice, you can remove the associated anxiety and stress and resolve incidents in your environment.  ivision is passionate about ensuring that our clients protect themselves, their data and their clients from the constantly shifting sea of threats they face, while also ensuring clear and quick resolution.  Whether it be reviewing an organization’s incident response plans from a strategic level, layering in a properly mature security program or working with organizations to implement recurring tabletop exercises to review the effectiveness of existing plans, we are here to help.