Enterprises should be taking a number of steps to beef up their incident response plans. Here are just a few incident response best practices companies should adopt: Have a clear and precise way to define incidents; use a cybersecurity framework, such as NIST's Special Publication 800-61 Revision 2; and engage in regular war games and incident response plan reviews.
As enterprises undergo digital transformations and begin to deploy new technology paradigms -- such as cloud-first, mobile-first and DevOps -- cybersecurity incident response plans must also evolve. Here are five measures you should consider:
Invest in automation. It's not enough to have a living document your team reviews on a regular basis. Wherever possible, you need to deploy technology that automates key functions in your security response. One technique is to employ a security orchestration automation and response (SOAR) tool. This lets you kick off a playbook that automatically goes into operation in response to a possible or confirmed security incident. Think of SOAR as robotics process automation for cybersecurity, and you'll have the right idea.
Engage your cloud providers. If many or most of your resources are cloud-based, a breach isn't your problem alone. Your incident response best practices plan should include ongoing bidirectional communication with your cloud providers. In a very real sense, you need to become part of their incident response plans, and they need to become part of yours. This means sitting down with your providers and mapping out the anatomy of a breach, and clarifying expectations on both sides. The good news is that many cloud providers have substantially more resources to devote to breaches; the bad news is they may not be inclined to engage with you, at least not upfront.
Define roles and responsibilities of business units. As a result of increasing reliance on cloud and mobile-based resources, employees within business units are frequently the first to detect a possible security incident. A good practice is to assign someone within each group as a business unit cybersecurity liaison (BUCL). In the event of a breach, this person would become the resident responder who communicates with the cybersecurity team. BUCLs should undergo regular training and be included in war-gaming exercises, and they should have backups during times they're unavailable. In addition, BUCLs should have a thorough understanding of the incident response plan, know how it will play out and be prepared to share that information with other business unit employees.
Update your incident response best practices plan for the virtual age. Many incident response plans are based inherently on dated assumptions. NIST, for example, recommends engaging the "system owner" in the event a breach occurs. But what does that mean when the system in question is a SaaS app like Salesforce or a containerized application with a limited lifespan? Review your existing policies and uncover workflows and processes that no longer make sense, and revise accordingly.
Align your plans with digital ethics policies. Companies are increasingly spelling out digital ethics policies to address the potential privacy invasions posed by big data and next-generation analytics tools (including machine learning and AI). Employees and customers alike have such broad and far-reaching digital footprints that, in many cases, not even a company's senior management is aware of what insight it has on employees and customers. Only the analysts running the algorithms know, and often only after the fact. This can create a situation where cybersecurity professionals tracing a breach may intentionally or otherwise collide with digital ethics policies -- and they need clear guidance on which policy takes precedence. They need to know the following:
This article is part of
- What information can be shared, and with whom?
- What information must be shared -- for legal, compliance or law-enforcement reasons?
- What is the company's obligation to the employees or customers affected by this information dissemination? Should they be informed after the fact, prior to sharing or kept in the dark?
The bottom line on incident response best practices is that it's time to revise them. Look for ways to inject automation, engage cloud providers and offer a broader role to business units. And if you haven't already, start thinking about digital ethics.