Incident Response July 19, 2019
By Diana Kightlinger 4 min read
Series: Cybersecurity 101

The complexity and precision of today’s cyberattacks may make you long for the simpler days of the Michelangelo virus. Add the sheer number of security alerts and false positives, and it’s easy to understand why incident response teams suffer burnout, leaving organizations at risk.

Incident response is the process of detecting and handling a security incident, cyberattack or data breach, remediating that threat, and recovering in the aftermath. It requires analysts to fend off attackers, review the results of their response and apply lessons learned to avoid a repeat threat.

A security breach can damage not only your business and your clients, but also your reputation, your most valuable asset. The average cost of a data breach is $3.86 million, according to the “2018 Cost of a Data Breach Study.” That’s for a typical security breach that requires 69 days to contain. But companies with more effective incident response reduced containment time to 30 days, and associated costs were 25 percent lower. That works out to about $1 million less per incident, money that can be invested in better processes, technologies and human resources to fight cyberattacks.

Although you can’t control whether cyberattackers target your company, you can control how you respond. Responding quickly and effectively to cyber incidents can help improve your company’s cyber resilience — the capacity to maintain your core purpose and integrity in the face of cyberattacks, as defined by Larry Ponemon.

Start Developing an Incident Response Plan

From the start of any incident response effort, it’s crucial to have a plan. Below are three strategies to help you hone your incident response capabilities and bolster your organization’s cyber resilience posture.

1. Create a Dynamic Incident Response Plan

Of organizations that rank as high performers in cyber resilience — i.e., those experiencing fewer data breaches and business disruptions — 55 percent have implemented an incident response plan. That compares with only 23 percent of middling performers. The companies that don’t have a plan are missing a fundamental element of cybersecurity. When IBM investigated why an organization would skip this step, answers ranged from lack of staffing and leadership to an organizational structure that didn’t support a centralized approach to incident response.

The heart of an incident response plan is the playbook. The playbook details the tasks and actions your organization should take in response to various incidents. It begins with traceable manual tasks that evolve over time based on what you learn from experiences or simulations. Using feedback from post-incident analysis and review, you can continually assess and refine your incident response playbook to improve response time and effectiveness. As the threat landscape changes, you may need new playbooks for emerging threats and scenarios.

Collaboration is the key to keeping up with developments. By being part of a community of security experts, you gain access to playbooks, standard operating procedures, best practices and troubleshooting tips. These all help you adapt to new developments as soon as they arise. But for a truly effective response, the most essential requirement is practice.

2. Practice and Review Your Response

Just developing a playbook isn’t enough; you need to regularly practice and update your incident response, either internally or with the help of a consultant. Crisis decision-making — which requires making quick calls without all the relevant information — can be overwhelming to those accustomed to having time to deliberate. Those who excel often have military or emergency medical experience and have been trained in principles that work in crisis situations. For example, fighter pilots use the OODA loop: observe, orient, decide and act. And in the military, the concept of commander’s intent defines the desired outcome for troops, so no matter what happens, they know what to do.

It’s also critical for security operations staff to understand just how bad the worst can be when you’re fighting a human adversary who can see your actions and pivot based on your reactions. During a cyberattack, analysts may be awake for 16 to 18 hours a day, possibly for weeks on end. Incident response providers with cyber range capabilities can help train employees on how to respond to an incident from the initial alert through postmortem. As incident response becomes more like muscle memory, your staff will become better equipped to handle any breach that occurs.

With a solid, documented incident response plan and the training to implement it, you can lay the foundation for a successful orchestration and automation program.

3. Orchestrate and Automate

One of the keys to improving incident response is to change your organization’s cybersecurity stance from reactive to proactive. According to Forrester, technology that provides automated, coordinated and policy-based security processes across multiple technologies make operations more efficient and less error-prone.

Every day, 27 percent of security operations centers (SOCs) receive more than 1 million alerts, according to Imperva. On average, a security analyst investigates 20 to 26 incidents every day, taking 13 to 18 minutes for each one. How do SOCs handle this continuous bombardment? For the most part, they don’t. The most common response is to modify policies to receive fewer alerts.

Orchestration frees cybersecurity teams by streamlining processes, optimizing resources and enhancing the security culture. By combining human- and machine-based intelligence to increase speed and agility, orchestration can triple incident response volume.

By automating repetitive and time-consuming tasks, intelligent orchestration can also free up analysts’ time for more strategic priorities. Automation reduces the average cost of a data breach by $1.55 million, according to Ponemon, and improves prevention, detection, response and containment of cyberattacks. Analysts can work smarter with better information and act on superior intelligence.

Orchestration can make incident response up to 40 times faster, as noted in the “Third Annual Study on the Cyber Resilient Organization.” You can eliminate the noise, identify the critical threats and get back to your core business faster than ever.

Learn more about preparing your organization to respond to any security incident

 |  |  |  |  |  |  |  | 
Diana Kightlinger

More from Incident Response
September 27, 2023

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

August 31, 2023

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

August 16, 2023

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature