Incident response success in five quick steps

It's amazing that monks can stay calm and "in the zone" at all times under any circumstance. But they don't get there overnight; it takes practice, years and years of dedicated practice. It also takes discipline, and that is what really separates the enlightened from the pretenders.

Of course, by now you're wondering, what does this have to do with security? The reality of being a security professional is that being compromised goes with the territory. Maybe not today, maybe not tomorrow, but at some point, a compromise will happen, be it the result of a flawed Web application or a malicious insider, and most practitioners will not be ready. Instead of relying on a pre-established, rock-solid incident response plan, the security manager will panic, bungle the response and eventually start looking for a new job, because it's almost impossible to recover one's reputation internally once a major incident occurs and isn't handled properly.

But it doesn't have to be this way. It is possible to be calm in the face of a towering inferno as long as the incident response plan is well-defined and ensures that organizational data remains safe, while containing any damage. There are a number of steps that any security manager can take today to ensure that their organizations are ready when that very bad day inevitably arrives.

Step 1: Write down the plan
A lot of practitioners have an incident response plan, but it resides in their heads. That is not good enough. Practicing the steps while on the treadmill? Not good enough either. The plan needs to be communicated more broadly than the family dinner table, and that means writing it down, sharing it with colleagues, revising it and then making sure all affected parties know about it.

The document should lay out exactly what will happen in the event of an incident. It needs to specify accountabilities, escalations, and if/when to bring law enforcement into the picture. If it's not written down, it might as well not exist, because not only could something happen to prevent you from being in position to respond during an incident, but a good incident response plan is also one that all parties are familiar with long before an incident occurs.

Step 2: Get buy-in
Once the plan is written down, it needs to be circulated amongst the organization's internal IT power brokers to make sure that everyone understands the document the same way and knows their responsibilities. Of course, that includes the CIO, since an incident may involve taking systems and/or networks out of service. Appropriate response tactics need to be discussed and accepted before the incident, or be ready to suffer the consequences of mismanaged expectations.

Don't forget about other members of the senior team as well, especially human resources and the general counsel. In the event the incident results in a legal prosecution, both of those individuals will be able to determine exactly what data needs to be gathered and how the response and other personnel action need to play out.

For more information: Learn how to avoid insider threats by forming an incident response plan and monitoring employee behavior. In this tip, Richard Mackey explains how ISO 17799 can help infosec pros perform partner and service provider due diligence. Mike Rothman explains why thinking like an investigator can help security pros develop an incident response plan.

Step 3: Understand escalation
I mentioned escalation above, but it's important to get a little more specific. The first thing to determine is the notification process. Who gets called and when? Under what circumstances is the CIO, CFO, CEO, etc. brought into the situation? When should they be awakened in the middle of the night, if ever? The time to find out that the CEO doesn't care isn't at 3 a.m. when she's chewing your ear off for disturbing her beauty sleep.

It's also important to make sure that the level of acceptable damage control is specified. If a key customer-facing application may be compromised, is an out-of-band investigation conducted, or is the application taken down? Who should be making that decision? Odds are it's not the security professional, but having someone accessible at all times to make those kinds of calls is absolutely critical.

Step 4: Practice, practice and then practice some more
When was the last time your enterprise conducted an incident simulation? Most organizations answer that question in years, if ever, and that's a problem. The fact is every organization has a dynamic workforce, set of trading partners, application base and lots of other things changing at all times. That means the incident response plan needs to be a truly living document. It needs to change when the business changes and those changes need to be reinforced though practice.

I know that it may be a challenge to get the troops motivated about incident response simulations when it's far from the real thing, but it's important. Major mistakes can be made or time lost when an enterprise fails to realize there's a gaping hole in the plan until an incident occurs. Remember, optimally a lot of the responses under duress are conditioned responses, and they only get that way through practice and repetition.

Step 5: Learn from mistakes
Even the best, most field-tested security professionals mess things up, especially in the middle of an incident. That's why besides containing the damage in real time, doing a detailed post-mortem is the most important aspect of the process. Everyone makes mistakes, but hopefully not the same mistakes more than once.

Unless a concerted effort is made to understand the nature of the incident, what went wrong and what will be changed moving forward to ensure it doesn't happen again, history will repeat.

So, swallow a bit of pride, dig deep into the incident and make whatever process changes are required to ensure the same incident doesn't happen again. This type of post-mortem is also invaluable during an audit, so show the auditor how the organization recovered from an incident and learned from it.

Remember, the difference between someone that is perceived to be a hero in a tough situation and a goat looking for his or her next job is all about how the incident is handled. Follow these five steps and security professionals can live to fight another day.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Information Security Incident Response,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? PCI management: The case for Web application firewalls The basics of enterprise GRC project management Information Security Incident Response Data breach notification legislation: What info must be released? Incident response planning Mature SIMs do more than log aggregation and correlation New partnerships, creative thinking help security bust recession Senators hear call for federal cybersecurity restructuring Tying log management and identity management shortens incident response Tabletop exercises sharpen security and business continuity Security incident response 101 Firms muddle security breach response, expert says Microsoft Conficker worm offers attack prevention lesson Information Security Incident Response Research Information Security Policies, Procedures and Guidelines Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation GAO report cites government weaknesses, data leakage RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary incident response  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.