As security professionals, we understand and focus on proactive and reactive security measures and technologies, concentrating the majority of our efforts on trying to prevent and detect incidents. We understand and are comfortable with prevention technologies such as firewalls, perimeter gateways, endpoint protections technologies, DLP and IPS systems.
Familiar Focus
We are familiar with auditing and testing the environments, writing policies and training users. We then tend to focus our next effort on detection solutions such as IDS, Quarantine/AET/APT SIEM systems.
Psychologically these detection solutions are less appealing to us as they are an explicit acknowledgement that our prevention strategy will most likely fail. Nonetheless we are keen to detect in order to reduce our exposure time and minimise the impact of breaches. All of these solutions and services may be perfectly valid, appropriate and justifiable to help reduce the impact of likely security incidents as part of a structured Information Security Management System.
Response
The area that tends to receive least focus is “the respond” piece. Organisations develop and rehearse Disaster Recovery plans either on their own or as part of business continuity plans because financial auditors and insurers mandate it. Organisations tend to leave their respond efforts there – compliance box ticked.
Disaster recovery response planned is for one specific scenario for a set of specific security incidents. There are lots of other security incidents such as data breach or data leakage, malware or ransomeware outbreak and loss of critical service incidents (accidental or DOS/DDoS) that might not require or invoke any disaster recovery protocols. They still warrant a carefully documented and rehearsed IT and business-wide response.
Next time..
In our next blog, we use our specialist security knowledge to tell you the importance of a thorough, reliable incident security plan.