Serg Nvns - Fotolia

Manage Learn to apply best practices and optimize your operations.

Incident response frameworks for enterprise security teams

After a security breach, incident response practices become crucial to minimize and contain the damage. Learn about incident response frameworks with guest David Geer.

Incident response coordinates approaches to manage cyber incidents and fallout to limit the consequences. Incident response frameworks guide the direction and definition of response preparedness, planning and execution by outlining and detailing its elements, steps and stages.

Driving incident response plan frameworks up the ladder

Data breaches exposed more than three billion identity records in 2017, according to a 2018 identity breach report, "Identities in the Wild: The Tsunami of Breached Identities Continues" from 4iQ, a leading identity threat intelligence company. That figure constitutes a 64% increase in breached identity records when compared to data from the previous year, according to the 4iQ website. Breaches are continuing to mount, so exposure must be reined in.

When attackers hit their target, consumers run for cover, state and federal agencies investigate and file and win legal claims in the millions of dollars, and black hats compromise tens of millions of credit cards, leading to hundreds of millions of dollars in costs. Breaches can cost C-level executives their jobs. Settlements require companies to institute additional security measures and undergo greater scrutiny. After a breach, years of lousy press are almost guaranteed and damage control is critical.

Individuals should look at such credible incident response frameworks to save time and to create an appropriate framework for their organization.

These costs are driving organizations to adopt real-time incident response techniques that limit damage and reduce recovery time and costs. Generally, the better the incident response process is, the better the outcome will be.

However, there are many ways to fail at incident response, which can add to the losses. KPMG published the report "10 common cyber incident response mistakes" for federal agencies. Individuals should look at such credible incident response frameworks to save time and to create an appropriate framework for their organization -- this can be used to refine a plan, avoid response missteps and cap the casualties of the next breach.

How to start building an incident response plan

Start by assimilating incident response frameworks from recognized standards organizations such as NIST, the International Organization for Standardization (ISO) and ISACA. The NIST "Computer Security Incident Handling Guide" includes incident response frameworks in the form of an incident response lifecycle.

Recent updates to the NIST Cybersecurity Framework and its applications to incident response should be used as a reference. Stages in the NIST incident response lifecycle include:

  1. preparation;
  2. detection and analysis;
  3. containment, eradication and recovery; and
  4. post-incident activity.

Each stage details extensive requirements for tools, training, communications, processes and steps to accomplish these goals.

The ISO recently published its report "ISO/IEC 27035-1:2016 Information technology -- Security techniques -- Information security incident management -- Part 1: Principles of incident management." This international standard for incident response handling is current and includes cyberattacks.

Briefly, the ISO standard details how individuals should "detect, report, and assess information security incidents; respond to information security incidents ... report information security vulnerabilities ... learn from information security incidents and vulnerabilities, institute preventive controls, and make improvements to the overall approach to information security incident management."

Likewise, ISACA offers its Incident Management and Response framework, which includes several resources and footnotes. The incident management lifecycle phases include:

  • planning and preparation;
  • detection, triage and investigation;
  • containment, analysis, tracking and recovery;
  • post-incident assessment; and
  • incident closure.

Frameworks for guiding risk management

There are several robust, cross-industry incident response frameworks from organizations such as the SANS Institute, CERT, the Institute of Electrical and Electronics Engineers, the Internet Engineering Task Force and the European Union Agency for Network and Information Security. These frameworks can provide guidance and updates. In order to serve your organization, you should familiarize yourself and your incident response plan team with these frameworks.

It is important to contact standards and member organizations in the industry about their frameworks, and to ask your vendors for guidance on their hardware, software, services and the different applications you use, as most vendors have frameworks to handle security incidents in their environments.

This was last published in August 2018

Dig Deeper on Information security incident response

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What type of incident response plan does your organization have in place?