The sheer volume of cyberattacks essentially ensures that one or more will penetrate an organization’s defenses. That is why fast, intelligent incident response is critical to mitigating the effects of a breach. In AT&T’s latest Cybersecurity Insights report, 62 percent of organizations acknowledged they were breached in 2015. Yet only 34 percent believe they have an effective incident response plan.
Sophisticated incident response plans enable stakeholders to hit the ground running when a breach happens. But all too often those plans fail following an incident. We asked security experts and practitioners for their advice on improving incident response, and four themes surfaced.
1. Acknowledge the unavoidable
An incident response plan can make or break an organization. According to a 2016 Ponemon study, surveyed organizations lost an average of $7 million when breached. What can a company do to protect itself?
For day-to-day attacks, threat prevention and detection tools are key. But as Chuck Brooks (@ChuckDBrooks), a vice president at Sutherland Global Services, explains: “Breaches can happen and likely will happen sooner than later.”
Accepting this reality is crucial to recognizing that an incident response plan is a business imperative — no matter the size or type of the organization. “The first failure a company makes is not having a plan,” says Guy Bunker (@guybunker), senior vice president of products at Clearswift.
Given the “when, not if” mindset of today’s cybersecurity experts, building a plan that fits the specific characteristics of an organization is necessary — albeit difficult.
“A more rounded and integrated approach to developing effective incident response plans is needed, and this should cover a hybrid security position combining testing of physical security, human factors, and an organization’s digital exposure,” says Mike Loginov (@AscotBarclay), CIO, CISO, and CEO at Ascot Barclay Cyber Security Group. “Adversaries will use any combination of these factors to exploit gaps and weakness in an organization’s security posture.”
According to Jeff Reich (@JeffReichCSO), CSO at Barricade.io, an effective plan goes beyond simply recovering from an incident. Thwarting similar attacks in the future must be built into the playbook.
“Too often organizations want their plans to succeed so they design an incident scenario that can be addressed with a straight-forward plan,” he says. “More plans need to take the broader view of dealing with the results of an incident and determining the root cause and needed remediation to ensure that the condition never exists again.”
Empowering response teams to act ensures that a breach response can unfold as planned.
“Does the incident response team have the necessary authority to confiscate or disconnect equipment and monitor suspicious activity if required? If legal, HR, security, audit and leadership are not involved in defining the plan, legal rights could be compromised during a cyberincident,” says Kyle F. Kennedy (@Kyle_F_Kennedy), CISO at Cyber Security Network.
2. Build the right team
Because of the business implications of a cyberattack, post-breach response is often an all-hands-on-deck affair. The C-suite, IT, security, legal, communications, and other teams across and outside of the organization must be involved.
“In my opinion, the number one reason incident response plans fail is due to the inadequacy of the response teams,” says Brooks. Creating the right mix of leadership and expertise includes selecting people who are up to date on the changing digital threat landscape. “Often those elements are lacking in teams, and as a result, companies and agencies have unfortunately paid a heavy price,” he says.
Steven Fox believes a leader who supports the specific needs of technical teams is key to a plan’s success. “An incident response plan relies on an influential leader that can both articulate the business need for IT investments and rally the associated technical expertise,” says Fox (@securelexicon), senior cybersecurity officer at the U. S. Department of the Treasury.
Kennedy agrees that a well-placed leader who understands the issues is instrumental. “An incident response program must have a C-level executive or board member championing the initiative,” he says. “The executive champion needs to help facilitate the business process to discover what current practices and processes may hinder the organization when a critical data breach occurs.”
Essential assistance can come from third-party consulting teams, too.
“A full adversarial review by an expert team that can test and probe the maturity and effectiveness of incident response plans is a necessary and recommended requirement in the fight against growing levels of sophistication by cybercriminals,” says Loginov.
3. Keep the plan fresh
Incident response plans aren’t fortified with preservatives. Employees, operations, and other circumstances often change to meet an organization’s developing demands. Tabletop exercises and other tests ensure that everyone understands their responsibilities and that the playbook is viable under a variety of scenarios, a recommendation also stressed in the AT&T report.
Bunker states his views succinctly. “A plan that hasn't been tested — and updated and tested again — will fail or at best be inefficient.”
For Robert Siciliano, a static plan is an ineffective plan. “Incident response plans are often outdated and antiquated, rarely reflecting the company's current infrastructure, processes and systems,” says Siciliano (@RobertSiciliano), CEO at IDTheftSecurity.
“Too many companies create the plan and tuck it away, only planning on revisiting it during compliance audits or in the event of a breach,” says Chris Czub (@chrisczub), a security researcher at Duo Labs.
The goal is to eliminate the guesswork and uncertainty that can arise in the midst of a major breach.
“Performing incident response drills ensures a few things: incident response procedures are effective, employees responsible for enacting the plan are familiar with it, and most importantly, employees know how to react quickly and won’t be struggling to identify their first steps,” says Czub.
Much as a sports team will polish its skills through repeated practice sessions, tabletop exercises ensure that teams react smoothly and in unison — under a variety of scenarios — when calamity hits.
”You can't expect a professional sports team to know what to do on game day if they haven't been coached through the plays,” says Andrew Hay (@andrewsmhay), CISO at Data Gravity, Inc. “An incident response activity should create muscle memory.”
Regular tests also aid in uncovering and correcting any flaws that could render the plan obsolete when an actual breach strikes.
“I believe that incident response plans would be 98.9 percent successful if a readiness drill was run often enough to catch technology issues and human errors ahead of time,” says Craig Brown (@craigbrownphd), a technology/business consultant,
S. Vaughan-Nichols concurs. “Like it or lump it, you have to give your incident response plan a real-world test. Only then will you know if it will really work when push comes to shove,” says Vaughan-Nichols (@sjvn), a contributing editor at CBS Interactive/ZDNet.
“Many IT personnel do a great job solving complex problems, but are often not tested with the pressure of responding to a breach as it unfolds,” says Scott Schober (@ScottBVS), CEO at Berkeley Varitronics Systems and author of "Hacked Again."
4. Stay the course
Once a breach is detected, the incident response plan should define a clear process for prioritizing next steps. But even the most sophisticated plan can implode when teams don’t stick to the playbook.
According to Eric Vanderburg, the plan can break down if incident response teams allow their emotions to guide their decisions. “In some cases, the plan is not followed at all. Often, though, the plan is followed except for a few critical decisions. Those decisions seem to be right at the time, but the plan was created when the team was not under stress,” says Vanderburg (@evanderburg), director of information systems and security at Jurlnnov.
Another threat to a well-honed plan is an organization’s reluctance to enact the plan until it’s too late.
“It’s the iceberg issue. When a breach is detected, we only see the tip of the iceberg and think it’s not really an incident. But the full problem is hidden under the water,” says Alan Webber (@AlanWebber), a senior analyst at IDC. “It is better tohave a few false positives than miss the big one.”
In today’s cyberlandscape, the financial and reputational health of an organization can hinge on the strength of the incident response plan — which is why a sophisticated plan is vital.
“The critical moments immediately following the detection of a breach are not the right time to be dusting off the incident response plan and trying to make sense of it,” says Czub.
Carin Hughes is editor of the AT&T Cybersecurity Insights report.