3:35 min read |
Implementing all the CIS controls won’t guarantee there will never be a successful attack on your systems. Sooner or later, someone could penetrate defenses and access confidential information or deposit malware. To be prepared, you need an incident response plan, the focus of CIS Control #19.
Have a plan in place
Figuring out how to manage incidents as they occur is bad practice in general and ultimately not in the best interests of your organization. Speed is of the essence, and to minimize service disruptions, a plan should be in place and people prepared to execute that plan.
Steps to take in response to an incident should be delineated. A list would include something similar to this:
- Identify the type of incident and its location.
- Contain the issue to minimize its magnitude.
- Analyze the event and identify the best remedy.
- Take remedial action, such as eradicating the malware or securing a compromised account.
- Restore normal operation and service.
Each step will include detailed instructions on what to do in the various situations that may occur. The more thorough the plan, the more efficient the response.
Assign duties and roles
To carry out a plan effectively, an incident response team should be created, consisting of staff that are familiar with the plan. They understand what’s expected of them and who will be making decisions. Each team member’s role should coincide with their position within the organization.
The decision-making authority needs to be clear. This allows for prompt response to a discovered breach, as opposed to lengthy discussion about who should do what. Emergencies are generally unpredictable, so one or more levels of backup authority are needed. The less time it takes to find someone who can initiate and direct action, the easier it is to mitigate the issue.
The response team needs to have the skills and training to deal with situations under pressure. There are far more kinds of attacks than any person can be familiar with, so familiarity with mitigation tools and processes, as well as good problem-solving skills, are important.
Establish reporting procedures
A quick response requires getting information to the right people quickly. Both software and people play a role. The proper tools need to be in place that provide network visibility and appropriate notification of malicious or anomalous network activity. For example, intrusion detection and endpoint protection software should issue alerts when suspicious activity is detected. Logs from all network infrastructure devices and network security controls should be collected and analyzed by a SIEM or other log management utility. This provides a single pane of glass that should allow logs to be used in providing a clear, concise picture of what has occurred.
In addition, employees need to know how to submit a report if they see something unusual that could be an indication of a compromised machine. There should be report forms so that people will provide as much useful information as possible. They should have entries for the system affected, the symptoms, the date and time, and the actions taken before and after noticing the incident.
Contact information needs to be included in the incident response plan so that members of the response team can be contacted immediately once an incident is confirmed. The information needs to be up-to-date in order to avoid delays.
There can be very long periods between security incidents, and members of the incident response team can’t afford to forget how to perform their duties. They need to perform well under stress, even if they don’t do it often. Periodic exercises will help them to remember what they need to do and to avoid confusion and prevent simple mistakes when responding to an incident. They’ll also help to make sure all the necessary information is still valid. Something as simple as an outdated phone number can seriously slow remedial action.
“Be prepared,” is famously the Boy Scout motto. That state of readiness applies to intrusions and breaches, too. The response needs to be planned, organized, and smoothly handled. A well-secured site will encounter few such situations, but it takes only one to cause major data loss, financial damage, and loss of trust. Properly managing security incidents once discovered can help minimize their impact and ensure an organization’s continued survival.