Incident and Data Breach Response Best Practices
Yes, there is a right way — and a wrong way. What is your organization’s process for responding to a cybersecurity incident? Not sure? Or worse, don’t have a formal process in place? Keep reading. Your organization’s incident response (IR) process is a critical aspect of your security posture because it specifies the actions you will take in the critical hours and days after you suspect a security breach. These actions will determine the extent of the damage and exposure from the breach, and likely, whether or not there will be a follow-on breach. What does an incident response plan example look like? Here are six incident response best practices to get you off to a good start.
1. Have an IR Plan in Place Before an Incident
Your IR plan should fall under the continuity of operations (ConOps) planning your organization already undertakes to ensure continuity in the event of natural disasters, civil unrest, or other disruptions. Many organizations include their cybersecurity IR plan as a section in their knowledge base and disaster recovery planning process. Be deliberate in crafting your incident response best practices. They must be documented, well-informed, specific, and actionable. The goal is to list the technical steps required to identify, validate, and remediate an incident as quickly and safely as possible. Most importantly, make sure your staff understands your IR plan and can execute in potentially challenging circumstances — such as having a compromised network, email server, and VoIP phone system.
2. Get the Visibility You Need to Understand What Happened
Visibility is security. I’ve written about the importance of visibility in detecting and validating cybersecurity incidents. If you can’t find all the malware or figure out how it got into your network, how can you mount an effective response to major incidents involving data security? You need advanced detection tools to find all the malware. You also need guidance from experienced service desk professionals who can validate threats, determine the severity and extent of the breach, and figure out how the malware got into your network. There’s no substitute for leading-edge technology and expertise for incident management best practices. Without them, your data breach response plan risks mounting an unsuccessful response.
3. Set up a Protocol for Out-of-Band Communications in Advance
Sophisticated malware attacks often target your communications, including email servers, messaging systems, and VoIP phone systems. If you are trying to respond to a security incident over compromised systems, you can expect your communications to be monitored and/or hijacked by the hackers — and for your incident management processes to be unsuccessful. Your incident response plan example must include a communication protocol and contact information for staff who will mount the IR. The contact information should include mobile phone numbers and alternate, off-network email addresses, for starters. In the event of a suspected data breach, key staff should begin communicating about the breach over the out-of-band channels immediately. Other communications unrelated to the data breach incidents should continue over normal network channels for the time being, until the course of action for the full IR is determined. (You don’t want the hackers to know you’re onto them, and a rapid decline in email traffic might tip them off.)
4. Don’t Overreact
Learning of a suspected cyber breach is frightening and stressful. However, it is imperative that your incident resolution team follows the incident response plan best practices and avoids making any rash, heat-of-the-moment decisions. The reality is that the hackers likely have several footholds in your network by the time they’re detected. Your incident response best practices must include determining how they got in, where they pivoted to, and how they’re moving around the network. It is frequently a 24/7 monitoring process for several days, and you will have to be patient and strategic. Why? Because you don’t want the hackers to know you’re onto them. The only way to comprehensively remediate cyber attacks is to see all the activities related to the breach — when and where they’re logging in, where they’re hiding malware, and what data they’re accessing.
5. Develop and Launch an Incident-Specific Remediation Plan
Once you have secured out-of-band communications, coordinated efforts with all the key personnel, and identified all facets of the cyber attacks, you can quickly take steps to kick the hackers and malware out of your network all at once — for good. As part of the data breach response best practices, it is important to remain vigilant after you complete the remediation. More often than not, the hackers will revisit your network to look for new or previously exploited weaknesses. Your cybersecurity team should be able to develop monitoring tools tailored to specifically target the malware that previously breached your network.
6. Don’t Wing It — Bring in a Pro to Help
I focus on my clients’ IR processes because their IR plans encompass the sum of what they can control in the event of a breach and direct the actions that will be the most impactful in remediation. A good incident response plan plan example will make it much easier for their key staff to perform well and take the essential steps necessary in what may be a very challenging time.
Incident Management Best Practices: A Time-Consuming Process
IR, done correctly, is intense and time-consuming. To be candid, most organizations do not have the service management resources in-house to mount a significant IR while also maintaining daily operations. My company, Quadrant Information Security, can help — and we go a step further than any other managed security services firm out there. Many cybersecurity companies will simply tell you what’s wrong — or what might be wrong. They basically notify you of the data breach incidents but can’t help you understand what steps to take next (or won’t provide any assistance without additional charges). This is not our approach. My clients need to know what happened, why it happened, how to contain the threat, and how to fix it. We work with them in advance to get a solid IR plan in place. And then, in the event of a suspected data breach, we identify and validate the threat and help them determine the next steps forward during those critical moments. When an incident has occurred within a client’s network, we provide project management support through the life-cycle of the incident by providing around-the-clock IR support. In conjunction with our 24/7/365 Security Operations Center (SOC), a Quadrant IR Lead engages with the client to ensure that all necessary analyses are completed and that all data and information deemed related to the event are provided to the client in a time-efficient and quality-assured manner to ensure complete customer satisfaction.
Quadrant’s Managed Security Services Model
Identification, validation, reporting, and incident response are the four components that make up the Quadrant managed security services model. We assist with root cause analysis and ultimately help clients with incident containment and continuity of operations. Our Sagan solution, an all-inclusive cybersecurity software ecosystem, provides real-time visibility into your network, and our SOC provides 24/7/365 monitoring, notification, and remediation assistance by security professionals who have led hundreds of successful cybersecurity IRs. Together, our problem management resources enable us to deliver unmatched value in IR support and managed cybersecurity services.