How to Create an Effective Incident Response Plan

July 19, 2019
| |
4 min read

The complexity and precision of today’s cyberattacks may make you long for the simpler days of the Michelangelo virus. Add the sheer number of security alerts and false positives, and it’s easy to understand why incident response teams suffer burnout, leaving organizations at risk.

Incident response is the process of detecting and handling a security incident, cyberattack or data breach, remediating that threat, and recovering in the aftermath. It requires analysts to fend off attackers, review the results of their response and apply lessons learned to avoid a repeat threat.

A security breach can damage not only your business and your clients, but also your reputation, your most valuable asset. The average cost of a data breach is $3.86 million, according to the “2018 Cost of a Data Breach Study.” That’s for a typical security breach that requires 69 days to contain. But companies with more effective incident response reduced containment time to 30 days, and associated costs were 25 percent lower. That works out to about $1 million less per incident, money that can be invested in better processes, technologies and human resources to fight cyberattacks.

Although you can’t control whether cyberattackers target your company, you can control how you respond. Responding quickly and effectively to cyber incidents can help improve your company’s cyber resilience — the capacity to maintain your core purpose and integrity in the face of cyberattacks, as defined by Larry Ponemon.

Start Developing an Incident Response Plan

From the start of any incident response effort, it’s crucial to have a plan. Below are three strategies to help you hone your incident response capabilities and bolster your organization’s cyber resilience posture.

1. Create a Dynamic Incident Response Plan

Of organizations that rank as high performers in cyber resilience — i.e., those experiencing fewer data breaches and business disruptions — 55 percent have implemented an incident response plan. That compares with only 23 percent of middling performers. The companies that don’t have a plan are missing a fundamental element of cybersecurity. When IBM investigated why an organization would skip this step, answers ranged from lack of staffing and leadership to an organizational structure that didn’t support a centralized approach to incident response.

The heart of an incident response plan is the playbook. The playbook details the tasks and actions your organization should take in response to various incidents. It begins with traceable manual tasks that evolve over time based on what you learn from experiences or simulations. Using feedback from post-incident analysis and review, you can continually assess and refine your incident response playbook to improve response time and effectiveness. As the threat landscape changes, you may need new playbooks for emerging threats and scenarios.

Collaboration is the key to keeping up with developments. By being part of a community of security experts, you gain access to playbooks, standard operating procedures, best practices and troubleshooting tips. These all help you adapt to new developments as soon as they arise. But for a truly effective response, the most essential requirement is practice.

2. Practice and Review Your Response

Just developing a playbook isn’t enough; you need to regularly practice and update your incident response, either internally or with the help of a consultant. Crisis decision-making — which requires making quick calls without all the relevant information — can be overwhelming to those accustomed to having time to deliberate. Those who excel often have military or emergency medical experience and have been trained in principles that work in crisis situations. For example, fighter pilots use the OODA loop: observe, orient, decide and act. And in the military, the concept of commander’s intent defines the desired outcome for troops, so no matter what happens, they know what to do.

It’s also critical for security operations staff to understand just how bad the worst can be when you’re fighting a human adversary who can see your actions and pivot based on your reactions. During a cyberattack, analysts may be awake for 16 to 18 hours a day, possibly for weeks on end. Incident response providers with cyber range capabilities can help train employees on how to respond to an incident from the initial alert through postmortem. As incident response becomes more like muscle memory, your staff will become better equipped to handle any breach that occurs.

With a solid, documented incident response plan and the training to implement it, you can lay the foundation for a successful orchestration and automation program.

3. Orchestrate and Automate

One of the keys to improving incident response is to change your organization’s cybersecurity stance from reactive to proactive. According to Forrester, technology that provides automated, coordinated and policy-based security processes across multiple technologies make operations more efficient and less error-prone.

Every day, 27 percent of security operations centers (SOCs) receive more than 1 million alerts, according to Imperva. On average, a security analyst investigates 20 to 26 incidents every day, taking 13 to 18 minutes for each one. How do SOCs handle this continuous bombardment? For the most part, they don’t. The most common response is to modify policies to receive fewer alerts.

Orchestration frees cybersecurity teams by streamlining processes, optimizing resources and enhancing the security culture. By combining human- and machine-based intelligence to increase speed and agility, orchestration can triple incident response volume.

By automating repetitive and time-consuming tasks, intelligent orchestration can also free up analysts’ time for more strategic priorities. Automation reduces the average cost of a data breach by $1.55 million, according to Ponemon, and improves prevention, detection, response and containment of cyberattacks. Analysts can work smarter with better information and act on superior intelligence.

Orchestration can make incident response up to 40 times faster, as noted in the “Third Annual Study on the Cyber Resilient Organization.” You can eliminate the noise, identify the critical threats and get back to your core business faster than ever.

Learn more about preparing your organization to respond to any security incident

Diana Kightlinger

Diana Kightlinger is an experienced journalist, copywriter and blogger for science, technology and medical organizations. She writes frequently for Fortune 5...
read more