With attacks on the rise, proper incident response is an essential element of effective cybersecurity.
Following a record year for cyberattacks, industry analysts say security breaches are now virtually inevitable — a matter of “when” not “if.” According to research from Risk Based Security, 2019 was the worst year on record for cybersecurity incidents, with a 33 percent increase in attacks that exposed more than 8 billion records.
Gartner analysts contend that no amount of defensive effort can thwart all cyberattacks. However, organizations can minimize the impact of these attacks with an effective incident response plan that outlines how they will respond to and manage an attack in order to minimize downtime, damage and costs.
An effective plan should establish clear procedures for addressing both pre- and post-incident activities. According to the SANS Institute, all plans should include six key steps:
- Preparation: This is perhaps the most crucial step because it establishes the foundation for the entire incident response process. Organizations should conduct a thorough risk assessment to identify potential vulnerabilities and attack vectors. They should also establish an incident response team to coordinate all planning and communications.
- Identification: This step establishes the tools and processes to be used for detecting breaches and launching a quick, focused response. Identifying a security incident will involve gathering information from various sources such as log files, error messages, firewalls and intrusion detection systems to determine if unusual activity is actually a security incident or just a normal deviation.
- Containment: The goal in this phase is to contain damage as quickly as possible to prevent further problems. It could involve segregating a network segment to isolate infected workstations or taking down infected servers and rerouting traffic to failover servers. This process is not intended to be a long-term solution, but just a short-term mitigation action.
- Eradication: This phase involves neutralizing the threat and restoring internal systems to as close to their previous state as possible. It could require a complete reimage of a system or a restore from a known good backup.
- Recovery: This is the process of bringing affected systems back into the production environment. The security team must validate that affected systems are no longer compromised to ensure there won’t be another incident.
- Lessons Learned: Finally, the team must complete all documentation about the incident to provide a knowledge base that can be used to thwart future incidents. Additionally, the incident response team and other stakeholders should meet to evaluate the effectiveness of the response and determine if policies and procedures require updates or improvements.
Although the risks of cyberattacks are well understood, few organizations have a formal incident response plan in place. According to a recent Ponemon Institute study for IBM Security, 77 percent of respondents indicated they do not have a plan applied consistently across the organization. Of those that do have a plan in place, 54 percent reported that they do not test their plans regularly.
Industry experts suggest that the continuing emergence of automated incident response solutions will provide a way forward for organizations that aren’t prepared. These solutions incorporate artificial intelligence, machine learning, analytics and orchestration to augment or replace human intervention in attack prevention, detection and mitigation. Automation can be integrated into the process through such tools as identity management and authentication, incident response platforms and security information and event management (SIEM) tools.
Less than a quarter of those surveyed for the Ponemon / IBM study reported using any significant number of automation technologies. However, those who do report that automation has improved their ability to prevent, detect, respond and contain a cyberattack.
Research shows that quick, efficient responses that lead to containment of a cyberattack within 30 days of detection can save companies more than $1 million on the total cost of a data breach on average. That alone makes creating a proper cybersecurity incident response plan a great investment.
“Failing to plan is a plan to fail when it comes to responding to a cybersecurity incident," said Ted Julian, Vice President of Product Management and Co-Founder, IBM Resilient. “These plans need to be stress tested regularly and need full support from the board to invest in the necessary people, processes and technologies to sustain such a program. When proper planning is paired with investments in automation, we see companies able to save millions of dollars during a breach.”