Most security breach responses are poorly coordinated despite advance planning, warns a security expert researching ways to improve security investigations and incident response procedures.
Stress and lack of a clear leader are among the biggest problems that plague security incident response, said security expert Lenny Zeltser, a consultant and member of the SANS Institute board of directors. Zeltser presented his research last week at the SOURCE Boston security conference.
"When people are under stress mistakes are made," Zeltser said. "Someone needs to assert authority and in most cases that should lie with the incident handler."
Security incident response:
Experts say companies need data theft response plans: Enterprises that have solid response plans in place before a data breach are more likely to survive after being hacked.
The challenges of incident response plans and procedures: In this video, Mandiant's Kevin Mandia reviews his top five incident response challenges.
But asserting authority doesn't mean barking orders at people, Zeltser said. The handler should get to know the response team members and their roles at the company. Ask questions to get a better understanding of the system and data owners. Assign roles and assign people to communicate with different groups in the company. Those people should give updates to employees hourly at the onset of an incident, even if there is nothing to update.
"Update them because it keeps them calm and gives them a sense that you're working diligently on the incident," Zeltser said.
High profile data security breaches have prompted company officials to ensure incident response procedures are in place and an effective plan is available to use as a guide during a crisis. But Zeltser explained that some firms haven't dusted off their incident response procedures in years and others are relying on common procedures that aren't specific enough to their line of business.
Even the best procedures fail to overcome the stresses involved in the initial throes of a breach. Get a handle on how data flows through the company systems to assess the scope of the security incident. Zeltser said. The technical stage of incident response is often where incidents get muddled. Don't assume people know what to do next. Also, consider the tools and data sources available before deciding whether to conduct live analysis or formal forensics.
Assign an incident response team member to consult with the legal team or the company's legal counsel, he said. Find out who has the authority to make decisions that could affect the company's overall business, such as pulling a critical system offline.
During the presentation, Zeltser also handed out a security incident questionnaire for responders and a cheat sheet for server administrators examining a suspected breached server to decide whether to initiate a formal incident response.
Six key security incident response steps:
- Preparation: Gather and learn the necessary tools and become familiar with your environment.
- Identification: Detect the incident, determine its scope and involve the appropriate parties.
- Containment: Minimize the incident's effect on neighboring IT resources.
- Eradication: Eliminate compromise artifacts, if necessary, on the path to recovery.
- Recovery: Restore the system to normal operations, possibly via reinstall or backup.
- Wrap-up: Document the incident's details, recall collected data and discuss lessons learned.
Incident response in an organization is usually coordinated by a person who is from IT or was technical at one time, Zeltser said. But in many cases, organizations treat incident response as a technical problem and fail to focus on communicating clearly or following sound processes.
"They focus their efforts on making sure the right tools are in place, the right hardware and software is procured; that the right steps are documented on how to clone a hard drive or examine memory contents," Zeltser said. "They don't pay enough attention to the human and process side of things."