By John Moran
According to IBM's 2018 Cost of a Data Breach study, the impact of a data breach on an organization averages $3.86 million, though more serious "mega breaches" can cost hundreds of millions of dollars. The difference between a data breach and a “mega breach” often boils down to the effectiveness and speed of the incident response process.
The most successful incident response programs excel in five areas: visibility, incident management, workflows, threat intelligence, and collaboration/information-sharing.
Let’s consider what’s required to achieve excellence in each of these components from a systems level perspective.
Given the variety and number of security products deployed in the average enterprise, visibility into the output of these tools is the foundation of any incident response system. Aggregating data feeds from commercial and open-source products, as well as anything developed in-house, is required.
When deploying an incident response management system consider platforms that support the most common security products out of the box. Since few can support everything by default, flexibility to add bidirectional integrations with security products which are not supported by default is an important consideration.
While bidirectional integrations are crucial in supporting full automation and orchestration, full bidirectional integrations are not always required for each technology. This is often the case with simple detection and alerting technologies, for which a unidirectional event forwarding integration will suffice. Make sure common methods of event forwarding and data transfer, such as syslog, database connections, APIs, email and online forms, are supported.
A good incident response system should, at the very least, enable the orchestration and automation of the security products in use by the organization. It should include the ability to manage the entire incident response lifecycle, including basic case management such as tracking cases, recording actions taken during the incident, and providing reporting on critical metrics and Key Performance Indicators (KPIs).
A more advanced incident response system would provide the ability to perform:
- Phase and objective tracking
- Detailed task tracking, including assignment, time spent and status
- Asset management — tracking all physical and virtual assets involved in the incident
- Evidence and chain of custody management
- Indicator and sample tracking, correlation and sharing
- Document and report management
- Time and monetary effort tracking
One of the key capabilities that should part of the incident response system is the automation and orchestration workflows — which result in more efficient processes and greatly reduce repetitive tasks for analysts.
There are two fundamental methods to codify process workflows: linear-style playbooks or flow-controlled workflows or runbooks.
As both methods have their own advantages and disadvantages, and each is suitable for different use cases, both should be supported by the incident response system. In both cases, workflows should be flexible enough to support almost any process, and should support the use of both built-in and custom integrations, as well as the creation of manual tasks that an analyst needs to complete.
One of the most basic requirements for an incident response system is the ability to incorporate threat intelligence feeds. Adding the ability to correlate threat intelligence makes it easier to discover attack patterns, potential vulnerabilities, and other ongoing risks to an organization, without manual analysis. Automated correlation also helps identify whether an ongoing incident shares common factors with any previous incidents.
For example, visualizations of threat intelligence and correlated events are especially useful for threat-hunting and detecting attacks and patterns that may not have been detected through other methods.
Collaboration and Information-Sharing
Incident response is never a one-person show. Generally, it requires the participation of many people, and often of multiple teams. To be highly effective in such an environment, an incident response system should support seamless collaboration and information-sharing between all stakeholders and team members.
Authorized personnel should have instant access to the status of an incident, as well as to any information gathered, including the actions of team members. In addition, all members should be able to communicate securely, using an out-of-band communications mechanism.
Meanwhile, collaboration and information-sharing should also be practiced with external entities, notably law enforcement agencies. Sharing information, such as threat intelligence reports, is a critical tool in fighting cybercrime.
Establishing these five building blocks from a process, people and systems perspective will help ensure that an organization’s incident response program can detect, contain and mitigate a breach before it can reach “mega” status.
About John Moran
John Moran is a security operations and incident response expert, and senior product manager for DFLabs. He has served as a senior incident response analyst for NTT Security, computer forensic analyst for the Maine State Police Computer Crimes Unit and computer forensics task force officer for the US Department of Homeland Security. John currently holds GCFA, CFCE, EnCE, CEH, CHFI, CCLO, CCPA, A+, Net+, and Security+ certifications.