[BreachExchange] 9 Tips for Improving Your Incident Response Strategy

[Audrey McNeil]

http://resources.infosecinstitute.com/9-tips-improving-incident-response-
strategy/

Incident response is a complex process involving many moving parts. Follow
these suggestions to improve incident response across your organization.

1. Hire the Right Staff

You can have the best technology to help investigate, detect and respond to
data breaches or security incidents, but if you don’t have skilled
employees who are capable of using that technology, there is no point.
Employee roles and responsibilities must be clearly defined to ensure
proper and consistent responses to threats. It is also important that end
users are effectively trained to recognize threats to the system.

Some employees should be dedicated to incident response instead of using
other personnel who are either part-time staff or members of another
department. They should be experts in areas such as breach management,
threat intelligence, malware analysis, and forensics and incident
detection, since the majority of targeted attacks are focused on the
platforms used most often.

A general staff model may include a tier 1 and tier 2 analyst, tools and
support analyst, and an intelligence threat analyst. Some of these
positions can also be filled by contractors and service providers instead
of full-time internal personnel. Every employee should receive specific
training that is specific to their role. Staff roles should be rotated
regularly to avoid burnout.

2. Establish Clearly Defined Team Roles & Responsibilities

If all IT department employees have been assigned the role as a potential
incident responder, it can cause confusion, inconsistent prioritization and
processes, and in the worst case, complacency.

Each role and responsibility should be clearly defined. There should be a
difference between the management of analysis, security data, incidents and
security devices. Organizations should deploy specialized and tiered staffs
that are flexible enough to ramp up their incidence response teams quickly.

3. Increase End User Awareness

End users are typically the weakest point in a company’s defense. They
become victims of techniques such as social engineering and spearphishing
that allow attackers into the network. Even though users are aware that
they shouldn’t give their password to someone who says that they are
calling from the help desk, it’s easy to forget protocol during a busy day.

It is the responsibility of the security staff to find creative ways to
make sure that these guidelines become common place. One way of doing this
is to allow an actual internal phishing attack and publicize the results to
staff letting them know how easy or difficult it was to access the network.
You can encourage compliance and attention by creating friendly competition
among employees from different departments to see who is most capable of
seeing through an attack.

4. Learn From Past Breaches & Incidents

Over time, an organization’s security posture is improved with effective
incidence response. This requires complete and thorough recording of the
incident response when the investigation is taking place and once it has
been completed. The information should be used to improve the company’s
systems and processes for investigating, detecting and reducing the damage
from future incidents. The information should address metrics such as
incident resolution and detection time. It should also indicate the overall
level of efficiency of existing countermeasures.

This allows the organization to determine whether the maximum amount of
money is being allocated towards security issues. It should also be noted
that the employees who are in charge of a security operations center (SOC)
or a critical incident response center (CIRC) are given the authority to
respond to and investigate incidents as they feel necessary.

To ensure continuous improvement, response processes should be easily
measurable and replicated through key performance indicators (KPIs) that
are relevant to the organization. An incident management system can assist
in identifying the root cause of the problem and set realistic goals to
learn from past mistakes and measure whether or not the response is
improving.

Organizations that are more mature document use cases that describe threat
scenarios and actual response situations that are specific to their
business. This helps make sure the rest of the team is able to learn from
past incidents and enhance their response.

5. Deploy the Right Tools

A trackable, centralized and coordinated intelligence-driven procedure
backed by the right technology and well-trained staff enables continuous
improvement and reduces the risk of further security incidents.

- Controls: The capacity to get the right information from the right
controls, both signature-less and signature-based.
- Context: The joining of data controls with a business, risk and threat
context in order to determine the priority of the incident.
- Visibility: The gathering of context and controls and the capacity to
handle occurrences within a single pane of glass.
- Expertise: The skills, training and expertise of the team that is
responsible for overseeing the solution set and defending the organization.

6. Upgrade Your Analysis & Monitoring Systems

The information systems that are in use today are extremely sophisticated.
However, so are the attacks that are being launched against them. The
proper investigation, occurrence detection and analysis technology are
critical to increasing the skills of your security staff, learning from
previous attacks and utilizing the proper processes so that you can respond
more effectively.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180302/3e4f501e/attachment.html>