Many say that it's not a question of if we will suffer a breach, but when and how we will suffer a breach. And yet there are organizations that consider this an optional capability.
Last time we talked about the first two parts of the Incident Management program: Prevention and Planning/Preparation.
Communication. So these groups know their roles:
- Security, IT, Privacy, Legal, HR, Communications
- Executive Management and the board so they endorse the process
- Responders so you know you can reach them
- Preparation - having available information including: contact information, on-call lists, incident response procedures, a command center, workstations, blank media, clean installation media
- Detection & Analysis - the key here is to know your environment, to know when things are working correctly, and to have good situational awareness tools (logging, SIEM, Vulnerability Management, GRC, DLP, IDS/IPS, filtering, anti-malware) so you know when things are not right. It is then, armed with the documentation provided from these and other tools, your team can analyze what does not seem right in the environment. It is during this phase that your appropriate management team can classify the situation as an Event, Incident or Breach (as we discussed last time). You may need to bring in expert help for the analysis. You, of course, need to determine, in advance, how you will decide to and do this. It is important to document all the measures taken in this phase.
- Containment, Eradication & Recovery - based on what you learned through analysis, you must decide how to minimize damage by segregating effected system, determining if and how to remove the problem, and what measures should be taken for recovery, up to and including invoking your Disaster Recovery or Business Continuity plans. Again, you may need to bring in expert help for this phase. It is important to document all the measures taken in this phase.
While NIST considers this the final part of the response phase, I think the post-incident work deserves its own section. There are two main phases:
- Communication - this is both internal and external (if needed) communication. Internally, people need to get an overview of what happened, what they should or should not communicate, and what steps are being taken. If your issue was high-profile or involved a breach of information for which notification is required, you must provide timely communication. In the absence of information, rumors develop. The court of public opinion does not look kindly upon organizations that withhold information or don't accept responsibility for issues.
- AAR and Lessons Learned - This is one of the most critical parts of the whole cycle. Events and incidents happen. Breaches happen. We need to learn and adapt to get better. Look at your whole Incident Management cycle. What worked? What didn't? What could you have done better? Build these aspects into your plan and improve! The AAR is your After Action Report, which contains the details of the event and response.
What other tips and techniques would you add? Are there aspects of the plan in the guide that don't work for you?