Welcome to the fourth blog in our information security series where we guide you through five pillars that will ensure a successful incident response programme for your organisation.
In our experience, organisations tend to over-complicate their approach to incident response. The pitfalls we have come across are creating silos, impractical approaches, poor and complicated communication with the business (before, during and after) resulting in ineffective response capability, weak management commitment and little or no resources and agreed plan to act.
IT incident response is really simple if you approach it clinically. It is about:
Restoring normal business operations dependent on Information Systems that have been disrupted by some incident, as quickly as possible with minimal impact to the business and preventing similar incidents from having significant impact on the business in the future..
1. Gain executive support
You need a simple and effective communication plan to make the executive aware of the overall risk, impact and likelihood of incidents occurring to the Information Systems of the business. Achieve awareness by using strategic language and a manner that is appropriate and relative to an executive. Use language such as AETs, SIEMs, CSIRTS etc. and you will have lost them. However, expressing the impact of downtime of your e-commerce channel in €XX,000’s per hour with an externally validated high likelihood of a sustained outage as a result of significant underinvestment in securing this channel will get their attention.
What you want from the executive is a mandate for your plan to address those risks proactively and reactively. You also want one or more executive sponsors permanently attached for the sustainability and operation of your incident response plan, as well as your overall Information Security Management System.In our experience, Business Continuity Programmes or Disaster Recover programmes are terms and concepts that executives are more than aware of at a business governance level. Therefore they typically gain easier acceptance and sponsorship.
IT and IT security often miss an opportunity to “Trojan horse” the broader set of security risk/incidents and incident response under BCP or DRP umbrellas (and budgets) by being too narrowly focused on “disaster” scenarios only, rather than including all important information security incidents that have potential to significantly impact the business.
2. Defined agreed objectives and scope
Organisations that have mature Incident Response capabilities typically have crystal clear objectives for their response plan and understand the scope of the systems and processes that need to be managed under the plan. They can also articulate relevant objectives to all levels of the business in a compelling fashion.
3. Documented, communicated, workable process and plan
Your organisation’s Incident Response process and plan should be well documented and communicated. It should be backed by simple policy and procedures and cover all of the following major phases of incident response, which we detail below.
Communication Phase
This is not so much a distinct phase, rather a critical requirement through all phases , including prior to the incident. An effective communication plan tells the right people when things are normal and when they are not. It tells the right people the right amount of information at the right time. A good plan won’t over-dramatise events as this risks “crying wolf” syndrome. It should also tell people what is needed or what they need to do at key points in time and it should follow up and close the loop. Communication should orchestrate the plan when an incident is occurring.
Information Security should take their lead from other compliance roles – such as health and safety. Our Incident Response communication plan should also communicate the effectiveness of your prevention/deterrence actions by outlining how long you have been without significant Information Security incidents. That way information security and your Incident Response plan stays on the agenda all the time!
Detection Phase
Review your detection mechanisms to ensure you are minimising your exposure time and that the incident is real i.e. not a false positive
Assessment & Triage Phase
Figure out what is going on and determine immediate actions to try and achieve your objectives. Remember the typical goal is restore services in the shortest time with minimal impact. There may be a low risk quick fix to do this without waiting to follow subsequent phases. However the Hippocratic oath is relevant in this context. Whatever you do “first do no harm”.
This phase might also need some level of detailed forensic investigation to try and pinpoint the problem source and impact and possibly preserve evidence to legal, civil or compliance litigation purposes.
Mitigation Phase
Once you have a fuller picture of what is happening, work to put in place a sustainable solution to address the problem. Speed is typically of the essence to minimise impact so you may need a phased plan for short and longer term mitigation.
Recovery Phase
Recovery is the execution of the process to restore BAU, business as usual, enabled by the mitigation.
After Action Review Phase
Continuous improvement means that once you have learned key lessons from the incident, the organisation takes the lessons on board and puts in place the necessary systems, resources and processes to prevent similar incidents occurring or having impact in the future.
CISOs or CIOs can usually make the “unanticipated incident” justification for significant events, once or maybe twice in their careers within an organisation. Organisations and their IT function have traditionally been shy about sharing the fact that they have had a security incident whether within the organisation or with affected parties. As part of “changing the conversation” (link to previous blog)wouldn’t it be really refreshing to get an email from your service provider along the following lines
“Dear valued customer,
Today we had a sustained outage of over 2 hours resulting from a denial of service attack originating from a compromised set of computers in data centres in Asia, targeting our online store. From our investigations none of your data was compromised during the incident as the result of strong security measures that we have put in place since our inception. Since the denial of service attack, we have further revised our other perimeter security solutions and we have put in a best of breed DDoS service.
Though similar and other attempted attacks are continuing, our service is back to near normal. We will continue to work with our ISPs and local and regional law enforcement to ensure the continued protection of your data in any future security incident.”
I would trust and value that level of honesty from my internal or external service provider far more than sustained silence or a one line notification of an outage with an apology.Pillars 4 and 5
We’ll leave you with that wealth of information this week. Next week, we bring you the final two pillars that will ensure practical and sustainable incident response. In the meantime, follow our posts on Twitter and LinkedIn to keep up to date with information security.