Incident Response

In my last article I wrote about the importance of Incidence Response and what it takes to design, create and maintain an incident response program effectively and efficiently. In this article we shall see what it takes for establishing an incident response capability, how to reduce incidents and highlight on a few good to have practices, which are the building blocks of an effective, and efficient incident response program.

You should create, provision and operate a formal incident response capability. To establish an incident response capability you should primarily, create/develop an incident response policy and supporting procedures for performing incident handling and reporting. The next step is to design guidelines to communicate with third party vendors with respect to incidents. Sufficient time and thought should go into the selection, staffing and training of the incident response team. Relationships need to be established between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies). In the end determine the scope of services that the incident response team shall provide.

You should aim to reduce the frequency of incidents by effectively securing networks, systems and applications. Preventing problems is normally less costly and more effective than reacting to them after they occur. Thus, incident prevention is an important complement to an incident response capability. If security controls are insufficient, high volumes of incidents may occur, overwhelming the resources and their capacity for response, which would result in delayed and/or incomplete recovery and possibly more extensive damage and longer periods of service and data unavailability. Incident handling can be performed more effectively if you complement your incident response capability with adequate resources to actively maintain the security of networks, systems and applications, freeing the incident response team to focus on handling serious incidents.

You should document your guidelines for interactions with other organizations regarding incidents. During incident handling, your organization may need to communicate with outside parties, including other incident response teams, law enforcement, the media, vendors and external victims. Because such communication often needs to occur quickly, you should predetermine communication guidelines so that only the appropriate information is shared with the right parties. Should sensitive information be released inappropriately, it may lead to greater disruption and financial loss than the incident itself. Creating and maintaining a list of internal and external points of contacts, along with backups for each contact, should assist in making communication among parties easier and faster.

You should emphasize the importance of incident detection and analysis throughout the organization. In your organization, hundreds of possible signs of incidents may occur each day, recorded mainly by logging and computer security software. Due to the nature and the quantum of work, automation is needed to perform an initial analysis of the data and select events of interest for human review. Event correlation software and centralized logging is of great value in automating the analysis process. However, the effectiveness of this process depends on the quality of the data that goes into it. You should establish logging standards and procedures to ensure that logs and security software collect adequate information and that the data is reviewed regularly. <

I shall continue sharing best practices with respect to Incidence Response in my next article.

- Montu Das