30 May 2019
30 May 2019

Why you need an incident response plan and how to get started

Many organizations have taken a more proactive approach to IT security rather than waiting for something bad to happen. Recognizing the immense cost of a data breach (an average of $3.86 million according to the Ponemon Institute’s 2018 Cost of a Data Breach Study) and the time it takes to contain a breach (an average of 69 days), these organizations follow best practices and deploy security tools that reduce the risk related to malware, zero-day exploits and other threats.

But that’s not enough. Security investments are critical, but you still need to operate under the assumption that a data breach will happen. When it does, preparation and communications are just as important as any tools you may have for maintaining business continuity and restoring critical data, applications and systems. Without such planning, an organization could suffer irreparable damage.

Part of the problem is the time it takes – several months or more in many cases – to detect an attack. This extended period of dwell time enables hackers who have already compromised a network to identify and exploit more vulnerabilities, move across the network, and steal, delete and lock down data. As a result, the threat becomes more difficult to eliminate and the recovery process becomes more complicated and expensive.

This is why every organization, regardless of how sophisticated their IT security tools may be, needs an incident response plan. Incident response refers to the steps taken after a data breach to minimize damage and resume normal business operations as quickly as possible. No longer simply an IT security discipline, incident response has become a strategic business discipline.

There are six general steps to creating an incident response plan.

  1. Assign roles and responsibilities. Someone needs to own the process of creating a plan, communicating with all involved and delegating responsibilities. This is not just an IT function. An incident response plan typically requires input from senior executives, legal, human resources, compliance, IT consultants and public relations.
  2. Prioritize business functions and define acceptable risk. Incidents involving high-value business functions that are critical to operations should be the top priority when responding to an incident. What capabilities can you afford to be without, and for how long? If multiple systems are down, in what order should they be restored?
  3. Classify incidents. Incident classification is typically based on urgency and the level of risk – high, medium and low. For example, a low-risk incident could mean someone clicked on a potentially malicious link in an email. However, if this incident isn’t thoroughly investigated and documented, it could lead to a medium or high-risk incident.
  4. Determine detailed response procedures. Once roles have been assigned, business functions have been prioritized, and incidents have been classified, you can lay out steps that need to be taken and by whom. What is the reporting protocol? Who investigates and analyzes each type of incident? What actions are taken based on the seriousness of the incident? What is the incident response timeline? How are activities recorded for future review? More detailed procedures translate to less confusion and better decision-making.
  5. Create a process for restoring systems and removing threats. High-priority systems should be backed up, but your staff need to understand how to access those backups. Meanwhile, threats need to be quickly isolated to enable remediation before they spread. This will allow you to return to normal business operations.
  6. Establish an assessment process. One of the most important parts of an incident response plan is understanding what happened and taking steps to prevent a repeat incident. What caused the incident? Has that issue been addressed? Has the fix been tested? Was the incident response plan effective in terms of both technology and communication? Every security incident is a learning experience – a potentially painful one, but a learning experience nonetheless.

That’s not the end of it. Slow threat detection is often caused by the high number of alerts generated by security systems that identify threats based on abnormal behavior. Organizations typically err on the side of caution, choosing to deal with a high number of alerts rather than risk missing a threat. But security teams can easily become bogged down chasing false positives, which delays the analysis of alerts involving truly malicious threats.

At the same time, trivial-true positives, which involve alerts that are technically correct but not dangerous, can also drain security resources. In fact, it takes far longer to determine context and triage a trivial-true positive than a false positive. Both create inefficiencies and add cost to security operations and incident response.

This is where a security platform like Windows Defender Advanced Threat Protection (ATP) comes into play, with features that aid in incident response by improving the speed and accuracy of threat detection, investigation and remediation.

Windows Defender ATP endpoint detection and response capabilities make it possible to detect attacks in near real time, aggregate and prioritize alerts, and streamline the investigation of threats. Data is organized and visually represented in an Incidents queue and Alerts queue on a dashboard so that security teams can quickly determine which incidents and alerts require a response.

The automated investigations feature uses advanced inspection algorithms and analysis processes to assess alerts and immediately respond to breaches. This significantly reduces the number of alerts that require investigation by human security analysts. The platform also uses advanced hunting to enable security teams to track down potential threats, via a sophisticated search and query tool and custom detection rules.

While data breach prevention continues to be the top priority, organizations must assume that a breach will happen, plan accordingly, and introduce a solution like Windows Defender ATP to help minimize the impact of security incidents.

Steve Soper is a Microsoft Certified Professional and the Founder and Principal of AdaptivEdge, based in California, which provides software consulting services to enterprise and SMB customers. You can find out more about the Microsoft Gold Partner at adaptivedge.com.

Share this post.

Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter

Related posts

Also in Blog

The database in the context of digital transformation

Every company is a software company – Satya Nadella

IDC predict that in less than three years, 60% of global GDP will be digitized, and certainly, most businesses report that they plan to invest he...

Also in Audit & Compliance

Enter data privacy. Exit SQL Server 2008.

SQL Server 2008 and SQL Server 2008 R2 are out of extended support as of July 2019, but the end of bug fixes, security updates and ongoing support has far-reaching data privacy implications, as James ...