 |
According to the SANS Institute, although 21 percent of respondents to a recent survey were unable to determine whether they had suffered a security incident in the past two years, 61 percent could confirm they had been a victim of a breach, unauthorized access, denial-of-service attack, or malware infection. Efficient incident response is vital when subjected to a serious cyberattack because the response’s timeliness and effectiveness directly correlates with cost and damage limitation. A recent report from RSA investigated how security practitioners worldwide are preparing their organizations to respond to and defend against security breaches. It then compared those findings against responses from members of the Security for Business Innovation Council (SBIC), which comprises security executives from Fortune 1000 organizations that are committed to advancing the state of information security. Deploy a Mixture of People, Processes, Procedures, and Technologies One of the areas investigated was incident response, which the report defines as “a comprehensive, premeditated approach to protecting applications, data, and information infrastructure from cyberattacks.” It stresses the importance of an incident response plan that is dynamic, composed of a mixture of people, processes, procedures, and technologies, and evaluated against new threats that expose systems, data, and infrastructure to attack. Of the security practitioners surveyed, 30 percent have no formal incident response plans in place, and even among those who do, 57 percent admitted they never or only infrequently review or update them. Among SBIC respondents, the picture is rather different. A full 100 percent have developed a formal plan, and 92 percent test their response program at least once a year. Further, 67 percent use intelligence and key findings they have gleaned from previous incidents to improve their response process, building that learning into their plans when responding to future incidents. On the role of people, processes, and technology, one SBIC respondent explained it is crucial in any plan to clearly define roles and responsibilities within the response team. This avoids heat-of-the-moment confusion when handling a breach. However, it is just as important to have clear visibility and consistent workflows to ensure accountability and consistency in the crisis response. This will also help organizations build upon their capabilities and improve their response procedures for handling future events. Automation Is Key A key to developing future capabilities is to employ a dedicated workflow-based system that provides full visibility into threat-related events, event-related information, alert collection, and threat feeds. This information can be routed into a centralized, automated system alongside information related to escalation, mitigation, containment, analysis, and remediation events. This will greatly improve an organization’s ability to track and manage incidents. Only by automating incident response processes will organizations be able to prioritize actions to take and track the effectiveness of the measures they execute. Security breaches are often far too damaging to be left to chance—or spreadsheets. While people will always be part of any incident response process, relying on humans and manual efforts is not all that is needed. An effective combination of people, processes, procedures, and technology will greatly improve the effectiveness of the response to any breach. The post How to Improve the Effectiveness of Incident Response appeared first on Speaking of Security - The RSA Blog and Podcast. |
