Cyber Security Incident Response Planning (CSIRP): Minimizing Business Impact And Being Prepared
Enterprise Investment In Incident Response And Containment ClimbingAdd bookmark
Security practitioners live in a world of hacker sophistication – including automated reconnaissance and payload efforts. These same professionals are often charged with defending the network with the same or comparable resources as years past.
Giving her assessment of the space, Security Executive and Information Systems Security Association (ISSA) Member, Candy Alexander, said, “Responding to an incident has become commonplace. IT and security teams used to have to exercise their IRPs, but today, they exercise them for real.”
Security practitioner Keith Hollender, formerly the Vice President of Information Security at Synchrony Financial, piggybacked off that sentiment, saying: “Incident response has become more of a focus in the industry. The mindset has shifted from ‘not if, but when’ we will deal with a major incident.”
The security professional said that incident response platforms and cyber fusion centers are now focused on minimizing impact and being prepared. Comparatively, he said that just a few years ago, only select, large companies had IR teams – and the capabilities were limited.
“Today, more and more companies are investing in incident response and containing an incident once it occurs,” Hollender said. At the enterprise level, continued cyber-spend means more awareness around cyber-threats, but it does not always equate to scores of security staffers holed up at the data center searching for indicators of compromise (IoC).
Instead, oftentimes it comes down to the same number of analysts to identify, verify and contain threats. The challenges behind this structure will be touched upon in this report, but it’s certainly worth noting in a section documenting a CSIRP background. For folks entrenched in the SOC, proper security information and event management (SIEM) software, and tactics, are the best weapon against threat actors.
A Technical Touch
It bears repeating that successful CSIRPs – which involve threat intelligence, forensic analysis, post-breach containment controls, etc. – are both established and repeatable. But successful incident management also revolves around a few technical components.
For one, analysts are always on the lookout for IoCs, which ultimately need triaging and individual attention. While that can get lost in a queue with busy analysts, there are certain methods that allow for streamlined attention and care.
Numerous enterprises today employ threat intelligence platforms – many of which are sophisticated tools that overlay the “requisite” security functionalities – and these tools feed security teams with scores of notifications.
Of course, in an age of automation, early-stage machine learning may provide a high number of false positives (pulling security teams away from potentially devastating incidents, elsewhere). But they may also delve so far into numerical detail that they offer CISOs and the like actionable intelligence. Some of which can be active threats, others might be vulnerabilities, aka “open windows.”
Elsewhere, useful intelligence may come from third parties or internal audits. Nevertheless, an IoC could pull an analyst in for a ride – from detection, to (data-based verification) to containment.
IR Challenges And Best Practices
No matter the technical acumen of the security teams, sometimes adequate incident response comes down to sustainability and executive decisions of the wider business. Read the full market report “Diagnosing Disaster: How To Recover From An Attack” to learn about the notable IR challenges, best practices and the outlook for automating CSIRP.
See Related: Cyber Security Hub Market Reports Archive