Discussions about cybersecurity tend to revolve around known threats, the damage they can cause and how they can be prevented or detected. All of these are important bases to cover, but they’re missing one of the essential ingredients of a cybersecurity strategy: the incident response plan.
What is incident response?
According to the Ponemon Institute, the average consolidated cost of a data breach is $4 million. While some of these expenses may be unavoidable, the overarching goal of incident response is to mitigate as much of the fallout of a cyberattack as possible. This is an organization-wide process that demands the cooperation and collaboration of all the lines of business, from the C-suite, to human resources and public relations, to the IT and security teams – internal and external – directly involved in identifying and remediating the threat, to any workers involved in or affected by the incident.
How is it developed?
In a new webinar moderated by SC Magazine, Sam McLane, head of security engineering at Arctic Wolf Networks, discussed the various properties of a strong IR plan, and how to instill them in an organization. It all starts with executive buy-in. Upper management needs to be made aware of the risks facing an organization. In some cases, the chief information security officer (CISO) is the one responsible for communicating the urgency of IR enhancements to the board. However, not all companies have a CISO, which means that this duty might fall directly on the CIO or the director of IT.
Either way, McLane noted that the responsible party must have a way to supply the right metrics regarding breaches to make an argument for better cybersecurity and new IR measures. This entails keeping a record of tangible evidence of attempted cyberattacks. Because financial risk is also a big concern, recent breaches or cyberthreat trends covered in the media can act as ammunition for a case to the C-suite.
As far as development of the actual plan, McLane noted that that every chain of command must be a part of the plan so they understand how to react should the incident affect them. This will avoid rash or uncalculated decisions that could cause greater damage, both on the tactical side (the IT experts on the front lines of remediation) and on the business side (HR, PR, lines of business, etc.).
Putting the plan into action
When the time comes to execute a plan, the CISO, or another predetermined manager, will be the one who notifies the board of the incident. This same person will act as the commander of the IR operation. He or she must calmly inform the lines of business about the breach and remind them of proper response protocol (i.e., what to say to the press, what to tell customers, how to react if an insider is involved).
On the tactical side, IT must move any affected computers from the network and should avoid knee-jerk reactions such as shutting down machines and deleting files. As a whole, there should be a practiced rhythm, even a routine in how the situation is handled.
Reviewing and adjusting the strategy
“IR must be evaluated and tested on a regular basis.”
Last but not least, IR must be evaluated and tested on a regular basis. The assessments will be the CISO’s chance to sway executive buy-in, while the tests will be necessary for preparing for a real-life scenario. Again, this is where having solid metrics can really come in handy when presenting new ideas to the board.
The review and adjustment phases can act as an opportunity to move some of the IR responsibility onto a third party. McLane noted that a company may find that it’s lacking expertise in certain areas, in which case, it’s likely more cost-efficient to “augment knowledge” with a third-party vendor that can help manage a response plan. McLane also noted that because so many data breaches involve either the carelessness or malice of an insider, a third party’s impartiality would lead to a less biased, more lucid account of the events, which, in the long run, will enhance IR.