Welcome to our final blog in this particular information security series where we bring you pillars 4 and 5 that will ensure practical and sustainable incident response within your organisation.
4. Resources and accountability
As with all plans and processes they are useless unless they have adequate resources and accountable roles. The Incident Response resource pool needs to be staffed by interested and willing stakeholders from all levels in the business, with suitable skills and tools.
It needs to address or encompass all identified roles from technical through investigative, incident supervisors, communication and public relations, legal, HR, impacted business units function heads etc., with any associated geographic spread.
Organisations frequently forget to include, consider and contract relevant key suppliers, service providers, partners and customers in their plan. Organisations also need to consider the tools they might need. Smart tool selection on the part of information security means that tools for incident handling are part of your prevention/mitigation strategy. It also means they have an important role to play in detection and incident handling, giving you best bang for your euro.
The tools you need to ensure information security:
| Purpose | Tool |
| Detection | Database Activity Monitoring (DAM)IPS/IDSSIEMDLPAnti-Malware endpoint, gateway |
| Analysis / Investigation | Network ForensicsDigital forensicsNetwork AnalysisSystems Management and Monitoring toolsProvisioning toolsLog Management, analysis and Audit tools |
| Incident Management | Incident case management tools – mobile, cloud and on premiseSupport, ticketing and tracking toolsKnowledgebase and support toolsIncident management extensions to detection toolsCollaboration, and workflow environmentCommunications technology – phones – fixed and mobile, conferencing, mobile devices – laptops, tablets, PDAs Incident management training tools |
| Prevention/Mitigation | Most standard Information Security technologies such as:Firewalls, WAFS, UTM’s, NGFWWeb and email GatewaysAnti Virus / Anti Malware – endpoint, applicationAET/APT mitigation technologies such as Quarantine etc.SIEM IPS/IDS Network and endpoint DLP DAM Encryption Vulnerability Management and AST Configuration and patch management Identity and Access Management |
5. Sustainability
Any Incident Response process should be part of your day-to-day operations, from small through to critical information security incidents. Your process simply needs to be scalable, flexible and appropriate.
For example, a minor malware infection on a single unimportant workstation might not warrant C level notification, rolling out the in-house solicitor and PR machine. However if you follow a standardised process for each incident then you are continuously validating and refining your process and skills for the big incidents and consistently improving your prevention and mitigation by applying lessons learned.
Our Advice…
The bottom line: Change the conversation within your business, acknowledge that significant security incidents will occur. Mobilise your business to hone your response efforts beyond simple DRP to cover all likely information security incident scenarios in equal measure to prevent, detect and reduce the costs of a breach to your business. The alternative is an immature incident response approach, costing up to 20 times more to rectify. That’s an alternative that your business doesn’t need. Plan ahead and protect your future.