With business and IT networks growing more complicated — and cyberattacks growing more persistent — organizations need full incident management to manage and mitigate today’s cyberthreats successfully. David Monahan, research director at EMA, and Ted Julian, vice president of product management at IBM Resilient, recently explored the evolution of incident response (IR) in the webinar, “Incident Response: The Shift Towards Full Management.”
The Evolution of Incident Management Tools
Monahan and Julian discussed full incident management, which is a comprehensive approach to IR that ensures all stakeholders, systems and risks are addressed. It also enables teams to make decisions quickly and effectively. We asked Monahan about the shift toward full incident management and how organizations can leverage this strategy to better protect against cyberattacks.
Question: Can you define full incident management and explain the shift toward this strategy?
Monahan: With traditional incident management, we often see a simple process: An analyst gets an alert or ticket generated in a queue. The ticket is opened and triaged and is either resolved or escalated. For many common issues, this works well. But in the event of a serious issue or a breach, a higher level of process and planning is needed. You need people, processes and technologies aligned for all stakeholders across the organization — from security and IT to marketing and legal and others. That’s full incident management.
It requires more detail and thoroughness and is akin to disaster recovery planning. In full incident management, processes and tools are aligned so that simple events are dealt with easily, and hand offs are seamless with technology facilitating the operations. Full incident management really shines during severe incidents. The processes and tools accommodate for the more-demanding operational needs of a significant outage or a breach by including playbooks and automation for workflows, and including alternate path flows more common in the larger issues.
It also facilitates communications and other management responsibilities to address the larger problem that may include organizations like legal, HR [human resources] and law enforcement. With full incident management, your IR processes are more efficient and effective, and comprehensively defend business value.
You have organized and managed SOCs [security operations centers] and NOCs [network operations centers] for organizations — from Fortune 100 companies to local government and small public and private organizations. Do you see any commonalities with the challenges they face?
These organizations obviously have unique challenges — but they also have many similarities as well. First, all these organization types feel pressure from specific stakeholders. They have SLAs [service legal agreements] to uphold. They have demanding customers. They are beholden to regulations.
Second, there are industry-wide challenges they all face. There’s a universal need for better data, automation and tools to support initiatives. And, of course, the skills gap impact impacts everyone. Finally, no matter what drives these organizations, they are all targets for hackers or cybercriminals. They all must be prepared to fend them off — and must have a response plan should a breach occur.
A recent EMA study found that only 1 percent of security professionals would consider their organization to have achieved full incident management. What does it take to be in the 1 percent?
The key to achieving full incident management is commitment. It needs to be made a priority at an organizational level. That’s the cornerstone. More specifically, it is really about increasing the levels of automation and business process alignment between IT, business departments and other resources so that each of their roles fundamentally shifts from reactive to adaptive and dynamic when it comes to breach response.
Day-to-day performance and availability issues are largely managed by automation. This is so the respective teams can focus on optimizing to meet shifting business conditions and thus capture business advantage.
What are the typical organizational resistances in achieving full incident management?
There are three categories of resistance I commonly see: people, tools and data. We’ve all seen the unfortunate “we’ve always done it that way” mentality — or been challenged by politics or turf battles among those who want to control the flow of information. But we’ve also seen that security management can change this culture through leadership and education.
With tools, it’s the technical challenges of integration and automation. This usually comes from difficulties collecting and leveraging the proper business requirements to purchase the correct tools or a lack of investment in achieving the level of integration needed.
With data, the challenges are both strategic and tactical. Many organizations simply struggle to recognize the benefits and, therefore, don’t invest in sharing. Other times, organizations struggle to collect and leverage the correct data — which causes a lack of visibility and context to both identify and solve problems.
What do you see as the major risks or pain points that tip the scales for organizations to invest in improving their incident response program?
If the organization does not take the opportunity to invest in incremental improvements, then sadly, the tipping point is most often an insufficient response to a major cybersecurity incident. It could be an extended outage or a data breach or some other contractual or compliance violation.
What are some best practices you would suggest to someone working to evolve their incident management program?
First, identify who is responsible for maintaining the process documentation — someone who will be dedicated to continually updating and optimizing the program.
Second, understand and document your workflows for the various types of incidents you manage, however your organization classifies them.
Third, assign roles through the creation of AD [active directory]/LDAP [Lightweight Directory Access Protocol] groups and maintain them in an organizational or HR lifecycle, so as people transition during the course of business, the program does not get forgotten and languish.
And of course, review and practice these plans regularly. Leverage table-top exercises and focus especially on realistic scenarios.