The industry is moving from an IT-centric model to crisis centric incident response.
Los Angeles, Calif. – May 21, 2019
The old “IT” way of responding to security incidents with the CIO standing over your shoulder asking, “Is it fixed yet?”, is long gone.
We’ve seen a drastic change in how enterprises today are speaking about incident response. The language comes out of military doctrine, and emergency response. How many times have you heard – discovery, containment or incident command – discussed when aligning on your organization’s incident response plan?
If you haven’t, you don’t have the right team in the room.
As executives, we have (for the most part) moved beyond the notion that we can prevent all attacks from occurring. No one is that bullish. Instead, I’m urging the executive customers I meet with to focus on responding quickly in order to minimize damage and risk.
The language of incident response has become a global one with the rise of privacy regulations. It is unacceptable for an enterprise today to NOT have 24/7 threat monitoring and an incident response plan. It just makes good sense. It’s worth it to me to have threat detection, and when an anomaly is triggered, to get in quickly, stop the exfiltration, determine what left the building (if anything) and align on how I can best adhere to regulatory requirements.
Today’s Incident Response programs involve executive level engagement, boots on the ground and communications support (think internal, PR teams, legal, etc) to ensure all aspects of an organization’s emergency are considered.
Here at Herjavec Group our NIST-based Incident Response program follows a three-tiered structure and supports emergency efforts as well as retainer engagements. We dedicate hours to tabletop exercises, focusing on how to prepare for an incident and how to mitigate impacts following an event in order to maintain business continuity. You can download our HG Incident Response Guide to learn more.
In terms of our standard IR practice, our team supports scoping, response, recovery and incident review. I am a huge advocate for post-incident review and as a matter of fact, this area of incident response doesn’t get the attention it deserves. We’re all too quick to move on to the next challenge because, in most incidents, you’re not going to get the attribution answer. Don’t worry about that. The WHO isn’t nearly as important as the HOW. How did they get in? Where did our defenses fail us? And what are we changing so this never happens again? Make sure your incident response partner will support you in answering these pivotal questions.
It’s clear to me that Incident Response has moved from an IT-centric model to a Crisis centric model. It’s truly a refreshing change. As I prepared for this month’s Cyber CEO edition, I was pleased to discover further academia on the topic. Effective IR is about planning, and who plans better than academics and professors (military aside!)??
My team and I have reviewed IR materials from dozens of universities globally. While so much of it is incredibly informative for CISOs and security leaders, we’ve narrowed down a list of 10 resources for Cybercrime Magazine readers.
10 University IR Plans
These resources will help you to design and enhance your own IR plan. Or they may help you spot a missing point in even the most sophisticated large enterprise plan. I encourage you to review them:
- University of California (UC) Berkeley Incident Response Planning Guideline
- University of Florida (UF) Incident Response Policy
- The University of Texas at Austin Incident Response Plan
- Trinity University Incident Response Policy
- University of Michigan Information Security Incident Response Procedure
- Stony Brook University Cyber Incident Response Policy
- University of Waterloo Computer Security Incident Response Procedure
- Portland State University Computer Security Incident Response Standard
- The University of Winnipeg Incident Response Procedures
- University at Buffalo Information Security Incident Response Plan
When it comes to incident response, we have to go back to school and do the work. We can’t become complacent. Have a response partner, develop a plan, know where your assets are, keep your cyber hygiene up to date, have 24/7 monitoring support, practice-practice- practice. We encourage students to practice for the big exam. Our military performs drill after drill to ensure they’re ready to step up when the time comes. When’s the last time your team was tested? Remember, you’re not operating in an IT-centric model. It’s a Crisis Model. Time to get into emergency mode!
To Your Success,
Originally posted on cybersecurityceo.com