Last week, I spent two hours with the technology leadership team of an organization in a heavily regulated industry. We’ve gotten to know each other well in recent years as we worked together on a comprehensive technology refresh that included the modernization of the organization’s network, the redesign of its data centers and the adoption of its cloud strategy.
The next item on the agenda was security, so we spent time talking about the variety of tools the organization already had in place and how those technologies contribute to the current security posture. We’ll be conducting a complete security assessment with this organization in the coming months, and the leadership team is seeking advice on how to prioritize the many security activities that lie ahead.
My advice to them was the same as I provide the leadership teams of many organizations in their position. They have already purchased all the tools they need to improve their incident response capabilities. We will work together to assess the organization’s existing incident response capabilities and then figure out how to leverage the current tools to improve the speed and effectiveness of that response to security incidents.
Strategic Steps Toward a Stronger Defense
Here are six recommended strategies we’ll use to elevate their incident response program:
- Formalize and document the incident response plan. Policies and procedures are more than bureaucratic paperwork. They provide an agreed-upon foundation for the incident response plan that sets priorities and establishes authority. Security teams and business leaders need to work together to craft these plans before an incident takes place.
- Clear the backlog of vulnerabilities. In their 2017 Data Breach Investigations Report, Verizon analysts looked at vulnerability patching in the modern enterprise. They found that the typical organization fixes only 60 percent of vulnerabilities within the first month of detection and that those that aren’t quickly patched typically remain unpatched for a long time. Clearing the vulnerability backlog will go a long way toward preventing security incidents.
- Develop a rapid response capability. In a July 2017 study, the Ponemon Institute found that it takes organizations an average of 191 days to identify a data breach. That’s nowhere near fast enough to have any hope of containment. Security teams must focus on building the capability to rapidly identify the symptoms of an incident and respond appropriately.
- Automate as much as possible. Security incidents unfold at a rapid rate. The most effective way to respond quickly is to automate portions of your incident response playbook. Take the time to script out as many response actions as you can and leverage automation to outpace your adversary.
- Focus on better managing the tools you already have. Security information and event management technology is the focal point for incident response efforts. SIEM solutions correlate information and provide a platform for coordinating and automating response efforts. Tuning your SIEM can establish it as an effective linchpin in your security automation efforts.
- Incorporate threat intelligence in the security strategy. No organization needs to go it alone when it comes to cybersecurity. Threat intelligence products allow you to learn from the experience of other organizations. Go beyond simply reading threat intelligence reports and find ways to incorporate threat intelligence feeds into your security automation practices.
These six strategies are just a starting point for improving your own incident response program. As with any technology strategy, your incident response plan should be a living document that evolves to meet the changing needs of your organization and addresses the dynamic threat landscape.