How to Speed Up Incident Response

Jun 10, 2016 | by RSA

Having an incident response plan in place is key if you want the ability to speed up your company's reaction to security incidents. However, a recent survey by the Security for Business Innovation Council (SBIC) found that just 30 percent of large organizations have an incident response plan, and of those that do, 57 percent never or infrequently review and update their plan.

The cost of a data breach directly relates to how long it takes to identify and contain the incident. The longer it takes to move through your plan, the larger your losses will be. For this reason, organizations should ensure they are adequately prepared to respond to a security incident as quickly as possible.

Assemble the Right Team

The first step in streamlining incident response is to assemble the right team with clearly defined roles and responsibilities. Among the roles required are security infrastructure monitoring, incident management, and security analytics management. Team members should be skilled in incident detection, forensics, malware analysis, threat intelligence, and breach management.

Invest in the Necessary Tools

The next step is to equip your team members with the tools they need. Many organizations continue to rely on manual processes for tracking incidents, which makes it difficult to provide governance or gain insight into process improvement over time. It also drastically slows down the response process, which can increase costs and overall damage.

A range of security tools should be provided to aid in incident detection, investigation, analysis, and response. For instance, organizations need a security analytics platform that can centrally monitor events in real time and add business context through analysis of all events, including logs, network packets, net flow, and endpoint information. Only with this information can incident response be effectively prioritized.

For the best results, this platform should be integrated with a security monitoring system that aggregates alerts. This type of platform will provide a framework for coordinating the multiple people, processes, and technologies involved in incident response. Further, to ensure the latest threats can be identified, the team should leverage both internal and external threat intelligence sources.

Have a Handbook

The third step is to ensure the organization's processes and roles are documented to control and focus efforts. This will also help iron out any gaps in the security strategy. Baseline behaviors should be set so anomalies can be identified, and tracking systems should be implemented to monitor the actions taken.

Further, backup systems should be stored alongside a master copy of the handbook-this can be done with a USB stick containing essential master copies of operating systems, applications, and configurations.

Keep Backup on Standby

In many cases, a strategic incident response team will be able to handle any security problems swiftly and effectively if these measures have been taken-especially if the incident response plan is regularly tested. SBIC recommends the use of cyberwar games to identify areas that can be improved, ensure the team gives incidents the right level of attention, and check whether response focuses on the most critical applications, data, and infrastructure. The ability to focus on the right areas is crucial for enabling a speedy response and controlling the overall cost of an incident. It is also wise to make arrangements with an external service provider in case a disaster is too big to handle or essential team members are unavailable.

By following these steps, organizations will be ready to quickly and efficiently take action and respond to a security incident. Anything that can shorten the time needed to remediate a security incident will lower overall costs and minimize damages as much as possible.

Author: RSA

Category: RSA Fundamentals

Keywords: Incident Response