There are many different incident response frameworks available. Let’s explore one, which Brahn Olson, director of cybersecurity services at Avalon Cyber, shared in a recent webinar. It is one he believes organizations can use as a good gut check. 

There are three parts to this framework:

1. Preparation
2. Detection and analysis
3. Post-detection and analysis.

Planning ahead helps prevent mistakes that could further worsen an already dangerous security breach. Consequently, Olson’s first step to the framework is preparation, and it includes several key parts:

Employee training: Ask yourself two things. One, have you defined roles and responsibilities to all employees? And, two, do they know what to do if a security incident occurs?

Workflow: Have you defined a concrete workflow for incident response procedures that are specific to your organization? "A lot of people try to take frameworks, pop them in and assume that they work, and generally they don’t have much success because it’s not tailored to their business and how you operate and what resources you have," Olson noted. 

Practice Makes Perfect: You are only as good as your training. Security personnel needs to practice constantly and make good habits.

Threat Modeling: Organizations need to see if there is a rhyme or reason as to why they've implemented certain security controls. According to Olson, "sometimes you see organizations that look for the silver bullet regarding a security device that’s thrown into their organization that they think is going to be this cure-all. You need to make strategic choices to essentially implement controls and appliances and defense and depth specific to your organization." 

Of course, to solve a problem, cybersecurity experts need to know the problem exists and what it consists of. That's why the second step of the framework is detection and analysis. 

Tools and Technology: Organizations should make sure they have the right tools and technology to determine root cause issues.

Who, What, Where, When, How: Have you streamlined the process of collecting incident information? How are employees involved in the security of the organization asking questions to non-IT employees? Non-IT employees shouldn’t be blamed, according to Olson. Without a supportive work culture, security incidents can go unreported, and vulnerabilities will remain unresolved.

Continuous improvement: Incident response procedures should be updated as your business changes. Olson says as a company grows, so should its incident response procedures.

After the threat has been managed, the third and final step in the framework is post-detection and analysis. 

Containment: With your current technology, do you have tools to contain a bad actor or malware? 

Eradication: How do you ensure that the root cause is fixed and incident artifacts are eradicated? "A lot of times, you'll see in an incident people only eradicate the artifacts, but they never fix the root cause, so it's this recurring issue," Olson observed.

Recovery: Do you possess the capability to recover from a breach or ransomware outbreak?

Lessons Learned: Are you learning from the outcome of the incident?

Here’s one question to ponder: If security breaches happen all the time and there are countless ideas about how to mitigate the damage, why does this matter? In 2017, the average cost of a data breach in the United States was $7.35 million, according to Ponemon Institute’s 2017 Cost of Data Breach Study. A company, though, can reduce the cost of the average data breach by nearly 47 percent if it has an incident response team, uses encryption, properly trains its employees, has a business continuity program and monitors cyber threat intelligence.

These huge savings should be motivation for companies to invest in a framework like the one described by Olson to keep their company moving forward even when they encounter challenges.

Related Reading

Check out these Fuel blog posts for further reading:

• Cybersecurity Question of the Month: GDPR

• How I Created a Palo Alto and Azure Site-to-Site IPsec VPN

• Fuel Community Chat: pVLANs and Securing Outbound Internet Access