Part 2 – Security Incident Response Management
Working with a range of clients over the years, we’ve gained insights into how organisations implement and integrate their security tools. It’s continually surprising how often companies invest heavily in implementing specialist tools to track and protect their business from cybersecurity breaches, yet despite these tools’ ability to report on issues and events, they still rely on an engineer manually checking the event log on a weekly (or sometimes less frequent) basis.
The Analogy of Unattended Alarms
To put this in perspective, consider the parallels with physical security: we install fire alarms linked to monitoring stations that automatically alert the fire brigade. We have intruder alarms that notify the police. Yet, when it comes to cybersecurity, our tools often remain unmonitored, allowing intruders to freely roam our digital environments.
The Importance of Response and Notification
In many cases, our projects have had to be extended to incorporate a robust “response and notification” element. This is more than just connecting a security tool to an incident management tool (although that’s a necessary step).
The real challenge lies in determining the appropriate escalation and response to each incident. What actions should be taken? Who should be notified? This is where organisations often struggle. The goal isn’t to inundate the security manager with notifications for every minor event, as this can lead to alert fatigue and potentially cause them to miss a critical incident.
Key Elements of Effective Incident Response
- Define the Escalation Process: Clearly outline who should be notified for different types of incidents, and at what level of urgency.
- Develop a Response Plan: Create a documented plan that details the steps to be taken for each type of incident, including containment, investigation, and recovery.
- Test Your Process: Simulate different scenarios to ensure your response plan is effective. Ask yourself: “What would happen if a serious breach occurred at 4 am? Who would be notified, and what actions would they take?” This is a crucial litmus test for your incident response process.
Expert Assistance for Incident Response Planning
Today, we include incident response planning as a standard component of our client engagements. In many cases, organisations already have the necessary tools in place but need help defining and implementing the right processes. Our goal is to empower you to make the most of your existing investments and ensure that your security tools are working effectively to protect your business.
