Many say that it's not a question of if we will suffer a breach, but when and how we will suffer a breach. And yet there are organizations that consider this an optional capability.
Last time we talked about the first two parts of the Incident Management program: Prevention and Planning/Preparation.
Next is:
Communication. So these groups know their roles:
- Security, IT, Privacy, Legal, HR, Communications
- Executive Management and the board so they endorse the process
- Responders so you know you can reach them
- Preparation - having available information including: contact information, on-call lists, incident response procedures, a command center, workstations, blank media, clean installation media
- Detection & Analysis - the key here is to know your environment, to know when things are working correctly, and to have good situational awareness tools (logging, SIEM, Vulnerability Management, GRC, DLP, IDS/IPS, filtering, anti-malware) so you know when things are not right. It is then, armed with the documentation provided from these and other tools, your team can analyze what does not seem right in the environment. It is during this phase that your appropriate management team can classify the situation as an Event, Incident or Breach (as we discussed last time). You may need to bring in expert help for the analysis. You, of course, need to determine, in advance, how you will decide to and do this. It is important to document all the measures taken in this phase.
- Containment, Eradication & Recovery - based on what you learned through analysis, you must decide how to minimize damage by segregating effected system, determining if and how to remove the problem, and what measures should be taken for recovery, up to and including invoking your Disaster Recovery or Business Continuity plans. Again, you may need to bring in expert help for this phase. It is important to document all the measures taken in this phase.
While NIST considers this the final part of the response phase, I think the post-incident work deserves its own section. There are two main phases:
- Communication - this is both internal and external (if needed) communication. Internally, people need to get an overview of what happened, what they should or should not communicate, and what steps are being taken. If your issue was high-profile or involved a breach of information for which notification is required, you must provide timely communication. In the absence of information, rumors develop. The court of public opinion does not look kindly upon organizations that withhold information or don't accept responsibility for issues.
- AAR and Lessons Learned - This is one of the most critical parts of the whole cycle. Events and incidents happen. Breaches happen. We need to learn and adapt to get better. Look at your whole Incident Management cycle. What worked? What didn't? What could you have done better? Build these aspects into your plan and improve! The AAR is your After Action Report, which contains the details of the event and response.
What other tips and techniques would you add? Are there aspects of the plan in the guide that don't work for you?
Barry: good, comprehensive article about preparation. I think where companies trip up is having everyone on the same page - IT collaborating with Marcom. Target might have prepared ahead of time but their internal and external communication was severely lacking which caused as much, if not more damage in the public eye.
ReplyDeleteGreat point Curt. It's quick action through communication that most directly correlates to public perception and reputation. I know that Target is doing what they need to internally, but it's often the timely communication that makes the difference.
DeleteIt was very informative post and shows the importance of incident response and NIST incident response process. Thanks for sharing
ReplyDelete