Incident Response is Changing, Here’s Why and How

Organizations can no longer simply dust off their incident response (IR) plan when a breach happens. If you haven’t gone through the rigors of various exercises to know what to expect and what to do, pulling out your IR plan during a cyber attack or after a breach has occurred has little impact. Zero-dollar IR retainers aren’t the best path forward either. They’re cost effective if you aren’t breached, but breaches happen. When they do, you want to make sure the emergency call you make is to a team who knows you and your organization and can mobilize quickly with a custom response because time is of the essence. 

Every year Ponemon reports on the relationship between how quickly an organization can identify and contain a breach and the financial consequences. The 2018 Ponemon Cost of a Data Breach Study found that the average total cost of a data breach has now reached $3.86 million and the chance of recurrence is 28%. Mean times to identify and contain have continued to creep up and are now at 197 days and 69 days respectively. To reverse these trends and better protect themselves from future attacks, organizations need to shift from a reactive approach to incident response to a proactive incident readiness mindset.

Fortunately, organizations are recognizing this and taking action. Nearly half of the respondents to the Cisco 2019 CISO Benchmark Study say they are focusing on time to remediate as a key indicator to measure their security posture, up from 30% last year. Furthermore, Gartner states that cyberinsurance carriers are also looking closely at what IR retainer services organizations have in place and by 2021 expect that 40% of retainers will be approved from an insurer-approved list, up from less than 5% today. 

A proactive approach to IR requires ongoing attention by skilled security professionals with IR expertise. For most organizations such talent is difficult to hire and even harder to retain, hence the increased focus on IR retainer services. When these outsourced resources aren’t actively engaged in incident response, savvy security leaders don’t let them sit idle. They take advantage of the additional bench strength – knowledge and personnel – to sharpen their internal teams’ skills and improve their security posture. If you’re evaluating IR retainer services, these six questions can help ensure you’re getting the support you need to be proactive: 

1. How can you help us develop a plan for when an incident occurs? IR plans should be informed by real-world experience and use threat modeling to identify attack types that could affect your organization. Plans should include step-by-step instructions or playbooks, based on best practices and tailored to fit your needs, so you can respond quickly and comprehensively to common types of incidents. 

2. Are we missing anything we need in order to respond? Readiness assessments provide deep visibility into your ability to detect, respond, and recover from attacks. The objective is to help you discover vulnerabilities, prepare for audits, and plan remediation activities. Assessments should encompass multiple functions across your organization to ensure you’re prepared to handle incidents in their entirety.

3. How can we know that we will respond correctly? Tabletop exercises give you the opportunity to determine the effectiveness of your incident response plans, review the roles and responsibilities identified in plans and playbooks, and work through the different phases of IR before an attack happens. These exercises will quickly reveal the strengths of your team and plan, as well as gaps in policy, procedures, and processes. 

4.  Are we currently compromised? Compromise assessments give you a broad view of whether your organization is currently at risk or has been compromised in the past. They map the assets attackers find most attractive to gaps related to protection, detection, and response. Reports provide recommendations for closing these gaps so you can proactively mitigate potential attacks in the future. Threat hunting provides a more focused answer to this question. It involves continuously searching for attack signs to find active threats and breached systems, conducting in-depth analysis, reporting out on findings, and then following the IR plan to take action. New methods are now being used to root out both internal and external threats. 

5. What can we do to build our skills to combat threats? Cyber range workshops, led by top security experts with deep experience and insights, enable you to learn from both the attacker and defender point of view. Using the latest tools and industry best practices, cyber range allows you to gain relevant experience across a spectrum of attack scenarios. Synthetic war-gaming environments are tailored to specific types of attacks based on your organization’s direct experience or attacks your competitors have faced.

6. How good are we at preventing and detecting attacks? Unlike an extended war game, Purple Teaming is collaborative and iterative. Exercises offer a point-in-time snapshot of your exposure to advanced persistent threats and provide monitoring and mitigation advice to improve security operations. The Purple Team model is designed so that organizations can work toward a healthier security posture throughout the exercise to capture immediate and ongoing value. 

Shifting to a proactive approach to IR is critical but identifying partners who can provide the capabilities you need is a challenging task. Armed with the right questions and an understanding of what’s possible you can navigate the complexity and find a partner to help you increase your preparedness, respond more effectively, and build resiliency.

view counter

Original author: Ashley Arbuckle