By Gary Sidaway, Global Director of Security, Strategy, NTT Com Security
It’s the year of the breach. Adobe, Target and eBay fell victim to cyber-attacks and 2014 has already seen the Heartbleed bug impact the majority of organisations across the globe. With attacks getting more advanced and hackers getting smarter, businesses across all sectors are potential targets. It’s a case of when, not if, your company will be hit.
Appropriate incident response is therefore critical for minimising the impact of a breach, yet 77% of organisations do not have an incident response plan at all according to a recent NTT Group report. This raises the question: are you prepared to manage a security incident?
A change of plan
With incidents increasing in frequency, businesses are spending more time and money on remediation – often working in the eye of a corporate storm to resolve issues at the same time as trying to maintain business as usual. Complex threats such as APT (Advanced Persistent Threats) are difficult and time-consuming to unpick and may require specialist knowledge and resources to comprehensively resolve. The problem is that businesses are turning a blind eye to the importance of defining and testing an incidence response plan.
It’s time for businesses to treat information security breaches as part of their business continuity planning, which means confidently managing incidents in an efficient, low noise, repeatable manner. By having a well-defined plan, and recognising that security incidents will happen, organisations will be better prepared to handle incidents effectively and consistently. Any company that suffers a breach certainly would not want to repeat the experience and, by improving the maturity of its incident response plan, it will reduce the risk of future incidents as well as reduce the financial and reputational impact on the business.
What does an incident response plan look like?
An incident response plan is a formal process that defines what constitutes an incident and provides step-by-step guidance on how to handle a future attack. In order to limit damage and reduce recovery time and cost, it needs to be kept up-to-date and then socialised among all of the involved parties. Furthermore, tests should be carried out regularly so that people understand their roles and responsibilities. Good incident response starts with good risk insight and understanding of information assets. Not all incidents are of equal impact so every business must be able to classify an incident that occurs. This can be done by establishing a comprehensive and real-time view of network activity, which will enable an IT team to quickly recognise that its company is under attack – and then consequently implement a clear plan for appropriate remedial action.
Incident response must be designed with an organisation’s
goals and compliance requirements at the forefront. The right intelligence on the impact of any incident will drive a proportionate response and focus resources to minimise damage and disruption. This way, those affected will be able to resume business as quickly and smoothly as possible. Ultimately, the route to better preparation is to build a structured plan that clearly articulates the approach, benefits and measures for application risk reduction. With a clear understanding of the business and technology infrastructure, an IT team can perform network and host based forensic investigation into incident, provide incident management capability and deliver summary post incident report and recommendations.
The role of compliance
It is vital to understand where compliance fits into a company’s incident response process and put in place a clear procedure to meet the specific obligations for reporting incidents. This means knowing when and how to notify law enforcement or specific industry regulators and, for multinational companies, navigating through the regional variations, complex privacy laws and notification requirements.
Establishing policies to share with other parts of the business affected by a breach – whether PR, business continuity, risk or customer services teams – is therefore crucial. Although it is not always essential to share information about a breach with a company’s customers and partners, it will be necessary to define and communicate a policy internally. It all depends on the nature of the incident and how early the IT team can understand and communicate what it is and what remedial action is being taken.
As security breaches naturally result in some finger pointing, organisations should take advantage of internal collaboration to nurture the incident response process. There is real value in using high visibility exercises such as rapid response communication drills and tabletop exercises, which involves simulating potential incidents to improve awareness and define roles and responsibilities beyond the information security teams. As a result, organisations will often see a heightened sense of joint responsibility for effective resolution.
Don’t do it alone
Mature incident response does not necessarily mean spending more on technology. Most organisations already have in place the technology they need and this includes data loss prevention, perimeter defences, and log management.
What is often required is a trusted provider to help them implement an incident response plan by developing the process and people to effectively respond to an incident. This might involve working with customers to establish what skills they already have, what they would need if they were breached, and where they would go for help.
house skills of an organisation and enables that organisation to focus on building and developing its business, while the outsourcer provides the information on risks to enable the board to understand, prioritise and manage risks and make informed decisions.
If a business with no in-house capability suffers an incident, a trusted provider that is deployed would be instrumental in developing its incident response plan. The consultancy might involve:
• Establishing incident management capability – incident handlers and technical analysts determine the process structure to handle the incident on the client’s behalf.
• Analysing forensics and containing the incident – analysts investigate, identify, analyse and contain the cause of the incident.
• Providing incident resolution – rapid response team provides support and guidance to the client to resolve the incident.
• Wrapping up the incident – trusted provider closes the incident and wraps up affected on-site activities. • Delivering incident report and roadmap – support team supplied report, post incident, along with a tactical roadmap of recommendations to reduce future risk.
Moving from reactive to proactive
It’s evident that faster, more efficient incident response will minimise the impact and cost of an incident and protect a company’s data. By enforcing a dedicated response team, and maximising the value of existing technology investments, every business can plan and execute a mature incident response strategy well. After all, if it is your company that is targeted, you will want to see the fastest and most efficient return to business as usual.