As attacks become more complex, more damaging, and more frequent than ever, the quality of your response becomes critical to limiting the impact. In fact, a strong incident response (IR) function saves an average of $400,000 in damages per data breach, according to the Ponemon Institute, in research sponsored by IBM Resilient.
The new Cyber Resilient Organization study by the Ponemon Institute showed security teams are striving to build stronger and more proactive incident IR programs — but clearly, they have some serious challenges. Two-thirds of IT and security professionals aren't confident in their organization's cyber resilience. And three-quarters of them don't have a cybersecurity IR plan in place that's applied consistently across their organization.
The study also suggested key guidance for increasing cyber resilience: improved planning and preparation. Successfully resolving and mitigating a cyberattack requires fast, intelligent, and decisive action. You need to have a plan in place to know what to do before an attack happens, and, as importantly, practice executing it.
When it comes to the plan, here are three things to include and tips on how to prepare before an attack occurs.
1. Identify and Involve Internal Collaborators
IR is an organization-wide priority, with many business units playing a critical role in successfully resolving an attack. Legal, HR, and finance teams must be involved to ensure compliance with regulations, and understand liabilities in case of a breach or when you're facing an insider attack. In the worst cases, the marketing department and the organization's executives may need to step in to address the media.
During an incident, security leaders should coordinate with these parties as needed, providing specific guidance on the nature of the incident, what's being asked of them, and when they need to act. For example, in the case of a ransomware attack, who makes the decision whether to pay the ransom or determine the business value of the data being ransomed?
Before an incident occurs, involve these groups in the IR planning process. Get their input early — and let them know what will be expected of them. It's also smart to include them in simulations and exercises, to ensure they're primed to act when needed.
2. Enable Investigation into the Full Scope of the Attack
This might seem like an obvious step, but in today's world of advanced persistent threats and targeted campaigns, truly understanding the extent of an attack can be difficult.
The emergence of threat intelligence gives security teams a strong weapon in gaining context about incidents. By leveraging the indicators of compromise; tactics, techniques, and procedures; and other artifacts of an incident, analysts can discern if an attack is a singular incident or part of a larger campaign against you. Threat intelligence also helps you understand the identity of the adversary and their goal: Is the adversary a single attacker, part of an organized crime group, or a state actor? Is the target intellectual property, customer information, or employee information? By understanding these aspects of the attacks, you can more accurately determine the scope of your challenge and whom to involve.
3. Map Out the Regulatory Ramifications
The regulatory impact of a breach can be one of the costlier aspects of a successful attack. It's no surprise, but the Ponemon Cost of a Data Breach study showed that more heavily regulated industries, including healthcare and finance, incurred higher data breach costs.
The challenge boils down to two factors: complex and inconsistent regulations, and tight deadlines. For any incident, it's important to get your legal team involved early, and provide team members with the details they need to make fast and accurate decisions.
Being prepared for this is going to be even more critical in the future. The EU's impending data breach law — the General Data Protection Regulation — is among the widest-sweeping global privacy regulations we've seen. It doesn't come into effect until 2018, but smart organizations are preparing, planning, and assessing their ability to comply today.
Incident response is the most human-centric security function, more so than prevention and detection. Bringing people process and technology together as a cohesive whole when needed is critical.
By taking steps today to develop, practice, and refine IR processes, teams will be much better able to successfully manage and mitigate the damage when they inevitably occur.