Torsten George VP of Marketing and Products Agiliance

Organizations spend millions of dollars each year to maintain their IT environment and implement sophisticated computer defenses. However, given increasingly creative and aggressive hacking techniques, it is not surprising to read about new data breaches on a daily basis.

A good example is the recent security breach at Twitter, in which user names, email addresses, session tokens, and encrypted / salted versions of passwords of approximately 250,000 users were stolen. Unfortunately, at some point every organization will be faced with a security breach. This raises the question – are security professionals focusing on prevention at the expense of damage control preparation? 

Incident response management can be described as the oft-neglected flipside of the security coin. When done right, like in the case of Twitter, incident response management becomes another weapon in an organization’s prevention arsenal – in this case the focus is on limiting material or reputational damages caused by a data breach.

Twitter’s response was swift, offered sufficient information about the scope of the breach, as well as measures that it had taken to minimize the impact on its user community. Thus, the company’s reputation did not suffer. However, there are many examples of incident response gone wrong; adding only to the damage the breach itself brought to the organization.

A bad example of incident response was the data breach at the South Carolina Department of Revenue, in which hackers gained access to unencrypted social security numbers. In media interviews, Governor Haley stated "the industry standard is most social security numbers are not encrypted”. Her comments drew harsh criticism, since anyone remotely familiar with security best practices knows that all sensitive data should be encrypted. In this case, the State’s incident response served to create  more, not less, reputational damage.

So what are the basic principles and steps involved in developing a pro-active incident response plan? 

The Basics
Incident response management is an organized approach for addressing and managing the aftermath of a security breach or attack – a.k.a. an incident. The objective is to manage the situation in a way that minimizes damage and reduces recovery time and costs. As part of incident response management, an organization should establish a policy that defines in detail, what constitutes an incident and provides a step-by-step process to be followed when an incident occurs.

The US-CERT and SANS Institute have assembled best practices related to the creation of an incident response team. This carefully selected group should, in addition to security and general IT staff, include representatives from legal, human resources, and public relations departments.

According to the SANS Institute, there are six main steps to handling an incident effectively. The preparation phase includes policy development, logging review guidelines, disclosure practices, tabletop exercises, compliance integration, and ongoing training of users and IT staff. Steps two through five focus on how to respond to a security breach itself and are broken down into identification, containment, eradication and recovery. These steps entail incident classification, digital forensics, malware analysis, system restoration, and public disclosure. The final step is related to post-incident analysis, which is important for identifying lessons learned, document gaps, and necessary enhancements using a closed-loop process.

To successfully implement a pro-active incident response management process, securing buy-in and support from senior management is required. Incident response management needs to be taken seriously and cannot be treated as an ad hoc process that can be abandoned in the next round of budget cuts.

The Moment of Truth
This all sounds straight forward and should be simple to implement -- at least on paper. However, this process typically breaks down when an incident occurs and a response is required. For example, will members of the incident response team remember their duties and fellow stakeholders when they receive a call on a Saturday at 4:00 a.m.? The answer most likely is no. So what makes incident response management in the field so difficult?

Policies and stakeholder information are often contained in multiple and dispersed documents, which makes it challenging to quickly access when a security breach occurs. This results in a delayed response. Furthermore, a manual incident response process requires human interaction to share information and alert stakeholders, which leads to further response time delays. The basic lack of alerting and escalation functions often leaves an organization vulnerable.

Another major pain point is prioritizing the remediation response. It is particularly important for organizations to determine the order in which the incident needs to be remediated. This should be done based on the risk and business impact. With no automation solution in place this calculation is simply not possible. Once the organization has determined its incident remediation strategy, the next step is to track how long the remediation will take, who is responsible, and who will take action.

Ultimately, the biggest challenge associated with incident response management is documenting the entire process. In many instances, once the incident is identified by one group, the remediation actions are executed by a different group. Without interconnectivity into remediation systems and a centralized repository for capturing this data, it becomes almost impossible to establish an audit trail and determine how effective remediation actions have been.

Elevating Incident Response Management
Obviously, relying solely on human intervention and disconnected systems can lead to major deficiencies that can slow down an organization’s responsiveness. This will ultimately impact public perception and escalate damages caused by a security incident. To overcome these shortcomings and streamline the overall process, progressive organizations are leveraging incident response management software. This allows for automation and centralization of the incident response process and creates an audit trail for compliance reporting.

Advanced incident response management software helps organizations collect data from a variety of security and IT tools as well as other applications such as Microsoft^® Excel spreadsheets. It then aggregates the data and automatically calculates the preliminary risk and business impact, enabling an organization to prioritize the response plan actions and timing.

These systems also route and assign incidents based on type, severity, or affected assets; alert the assigned stakeholders and provide for escalation if needed. Ultimately, all remediation efforts are tracked and all of the collected data is leveraged to measure controls and policy effectiveness as part of the incident post analysis. 

By automating and centralizing manual processes, organizations can take a pro-active approach to data breaches, transforming incident response management into a powerful tool that can protect brand equity, prevent customer defections and help restore trust.