The rise in cyber threats in the last several years has shown that organizations must continuously stay ahead of adversaries to protect their investments: data, intellectual property, finances, and people. Indeed, the Cisco 2018 Annual Cybersecurity Report found that the cost of attacks is no longer hypothetical. More than half of all breaches resulted in financial damages of more than $500,000.
Over the years, I’ve designed incident response teams from the ground up as well as led and developed such teams in mature organizations. There was always one common backbone with each of them: the incident response plan. Some people still believe that they can do a quick search online, find a template that they can then fill out, and voila, a plan!
Unfortunately, this couldn’t be further from the truth. When the time comes to actually implement such a cookie-cutter plan, organizations may find that they are woefully unprepared. It is absolutely imperative that businesses create plans that come from critically thinking through their specific needs.
Organizations must have conversations that lead to the generation of a custom-fit IR plan. This not only includes what to do in the event of an incident, but also how to address incidents before they occur. Let’s look at four key components that make up a solid incident response plan.
Be proactive: Assess and then plan for today’s and tomorrow’s attacks
Incident response has continued to evolve over the years to the point where I struggle in calling it, “incident response.” The industry has really learned from both the continued number of attacks and their fallout that more proactive planning well ahead of an incident need must become the new norm.
It’s important to draw up the incident response plan in advance of any cybersecurity crisis and to maintain it over time to ensure it is properly updated.
Additionally, an IR plan is usually best paired with an Incident Response Readiness Assessment (IRRA). An IRRA can help uncover organizational vulnerabilities or other gaps in preparedness that need focus and enhancement. Businesses that dash off a plan without this step may miss key components that may not seem immediately apparent.
If you don’t have the resources or expertise to conduct this assessment in-house, bring in an expert team. It’s often better to outsource this step, as a third-party organization can take a more objective look at your organization’s needs. Just as critical, bring in your senior leadership and other cross-functional team members to the planning from the outset. They have a vested interest in the business, and gaining their support and buy-in can ensure that you are all on the same page.
Taking the time to assess how prepared your organization is before you get into an incident can allow you the opportunity to both plan for remediating those areas and to also understand where you may need to better shore up your defenses.
Keep it simple
Don’t overthink it. You will never be able to plan for all the variations of incidents you may come across. While many security teams will attempt to come up with a plan for every possibility, there is no one-size-fits-all plan or playbook. The key is to establish a robust framework and process within which your organization can operate. And, if you find that there are issues that must be addressed immediately, don’t wait for the plan to be fully developed. Take care of them now to avoid problems later.
You also must be able to quickly reach out to the right players and experts inside and outside your business as needed to fill in any missing elements at a moment’s notice. And those individuals must be clued into – and buy into – the plan to expedite execution. They are likely to be able to help enhance the plan beyond your team’s expertise.
As your organization continues to evolve, you will need to dynamically make changes to the plan and processes. You are likely to end up capturing different data that can help you both track and measure in what direction your organization is heading.
Is it flexible?
An IR plan needs to be able to be easily modified without countless reviews and executive approvals. By keeping the plan simple, you allow your organization to operate within a framework and workflow that should be able to adapt more quickly.
Over time, the evolution and maturity of the program can result in adding new plan sections that do not require a full overhaul or revisiting the entire scope. This can save valuable time that is better spent elsewhere when minutes count.
Measuring up: How do you know if your plan works?
Measuring your IR capabilities is critical to the success of any organization. This can help leadership make decisions based on facts and data. By ensuring there are metrics that are captured along the way and reported on frequently, you can demonstrate the maturity of the organization. You also can pinpoint areas for process improvement in either prevention, detection, or operational response.
Some of our preferred metrics to track over the years include containment time, dwell time, collection and analysis time, and detection success by tool or technique. Another metric that is getting a solid look is time to reporting. For example, with GDPR and the 72-hour requirement to report an incident, organizations must ensure they are monitoring their capabilities and removing any inefficiencies that may arise. This will help ensure your organization is in compliance with guidelines and can avoid costly penalties.
The most important takeaways in the development and execution of a well-constructed and efficient incident plan include:
- Many templates and guides can explain what elements need to be part of an IR plan. But, they typically miss what’s specific to your organization. These requirements can be identified in a needs assessment.
- IR plans need to be built proactively and in a simple, flexible, and measurable way.
- Don’t overthink it. An IR plan should be robust enough to provide a great framework to operate within, but flexible to handle multiple threat scenarios.
- Keep it flexible to facilitate updates. Review and update the document regularly as the organization’s needs or market dynamics change.
- Understand how you will measure your plan’s effectiveness. This is critical when it comes to developing the team infrastructure as the organization matures. It also will tell you when the plan is working as designed or when it needs to be adjusted.