Tuesday, May 29, 2018
It’s one thing to know you need an incident response strategy, and another to build such a plan. It can seem like a daunting task, but with a few key steps in place, you’ll be able to outline what your incident response framework will look like and how it will function.
First, build the framework. As we mentioned in our last blog post, there are many different incident response frameworks available, but there are a few basic elements you can follow.
First, gather the necessary employees who will play crucial roles and decide what tools your organization has in place that would be useful to create an initial incident response plan. This should include the creation of a document that outlines the goal of your incident response program.
Next, support that goal by creating policies and procedures that will direct your incident response program. Choose formalized policies that all employees must follow when an incident arises. Make sure these steps in the framework are clearly communicated to all stakeholders for added accountability and quicker response times.
After you have the framework laid out, get technical. “Have technical documentation of guidelines, cheat sheets and checklists of potential avenues where you could get data to aid you in the incident response process specific to your organization,” said Brahn Olson, director of cybersecurity services at Avalon Cyber, in a recent webinar. Having quick-response guides for the scenarios most likely to occur at your organization can be extremely helpful. This allows you and other incident response stakeholders to act immediately in the face of an incident, rather than trying to work on-the-fly.
One of the most critical steps to take is making sure all documentation is specific to your organization. “A lot of times you’ll see these cheat sheets and guidelines and checklists that exist [online]. They’re huge, it’s a monster checklist,” said Olson. “You need to sit and cut that down into what’s specific to your organization, so you’re not wasting time going through nothing. The biggest part about incident response is tailoring it to your organization and making it relevant to you.” By customizing documentation to be hyper-specific, it can eliminate common errors that come from cookie-cutter checklists. Remember to keep it simple, and the next step will be that much easier.
The last step is to evolve and improve your incident response plan over time. Olson suggested organizations conduct mock scenarios where employees use the plan. Although documentation is vital, a plan that goes untested can be just as harmful to your organization. A mock scenario will also allow for questions and analysis of the plan, following the exercise.
Incident response plans require practice and training to be effective. Running these scenarios will allow your organization to prepare for a real threat. Remember, your plan should evolve as threats evolve, and as Olson said, all policies and documents be "living, breathing documents" that improve over time.
Following these three steps may take time, but the overall health of a company and its ability to respond to challenges will be well worth it. Build a framework that works for you, customize the technical aspects to fit your specific needs, then practice your ability to use the framework itself.
For more on this topic, stream the Fuel webinar, “Cybersecurity Round Table: I've Been Breached, What Now?”
Check out these Fuel blog posts for further reading:
- Incident Response Framework: A Three-Part Gut Check
- Cybersecurity Question of the Month: GDPR
- How I Created a Palo Alto and Azure Site-to-Site IPsec VPN