Successful incident response requires a sound plan backed by accurate information

Anthony Di Bello In a number of our recent posts we discussed the importance of being able to quickly identify and respond to potential security breaches:

Incident Response: The First Step is Identifying the Breach

Beating the Hacking Latency

SIEM Turbocharger

In those articles we covered why it’s critical, for effective incident response, to have the ability to filter the noise from the various security technologies most organizations have in place. In our SIEM Turbocharger post, for instance, we talked about how EnCase’s SIEM integration capabilities enables instantaneous forensic data collection, and how (when the inevitable breach does occur) an assessment can be quickly conducted across endpoints to scope the breadth of the situation.

But what happens should the breach be significant and turns out to be a reportable incident due to regulatory mandate, SEC reporting expectations, when a considerable amount of confidential data has been stolen, or a related situation is encountered?

News headlines of companies that didn't handle their incidents, once identified, properly are all too common.

The key to success at these times is by having a well-crafted plan in place for how the incident will be handled.

Based on our discussions with customers and industry leaders there are several things that must be in place to make a successful incident response possible. While the IT security incident response team is generally a tight group of IT and security managers and analysts, having the right, and much more organizationally broad, team in place to respond to business-critical incidents is crucial. In fact, if a publicly reportable incident is going to be well managed it will most likely require input from many aspects of the business. That’s the only way to best decide how the general public, partners, suppliers, customers or anyone else affected, and who will be notified, could best be handled.

Unfortunately, this is where many organizations fall short. When they approach their customers, or announce a breach it’s not always handled as well as should be, which can cause loss of trust, loss of customers, and even increased regulatory scrutiny.

However, once it’s determined that an incident is serious enough to notify business leadership the people and the protocol for this need to be in place ahead of time. That includes informing members of the legal and compliance teams, the CIO’s office, corporate communications, and others. Once the legal, business, and regulatory implications of the breach are understood it’s time to take the incident to executive management and eventually notify the affected stakeholders.

Of course, what is required throughout the entire incident response process is accurate and trusted information. Organizations need clarity on the nature and scope of the breach as soon as possible so they can start making intelligent decisions as early in the incident as possible. Fortunately, through the integration of EnCase Cybersecurity with SIEM technology, it’s possible to automate the digital forensics data capture process and therefore quickly understand the nature and true scope of an incident. This way well informed and the more appropriate decisions can be made from the start.

Follow me on Twitter @CyberResponder

No comments :

Post a Comment