Current Filter: Network>>>>>Feature>

   

Organisations are being bombarded with potential threats every day. Most of these are small and irritating, not truly critical. The ultimate goal of an incident response programme is not only to effectively contain a single incident and limit its impact but to learn from it by analysing the techniques of the attack.

When organisations base their responses on an approach that detects and enumerates the steps taken by an attacker to compromise a system, then the incident response team can use this information to inform and enhance future incident response actions. In this way, a behaviour that may have seemed benign before analysis can become a predictive factor of a larger attack.

Key concepts to creating a successful incident response programme should include the following:

Build an incident response team - The size and scale of the incident response team will depend on the organisation’s structure, expertise, size and budget. The team will need to possess strong technical skills and, just as importantly, good communication skills, because these people will be responsible for getting the word out across the company. They will also need to build a favourable reputation to establish confidence.

Act on what is manageable - The size and capability of the team, along with its expertise will dictate what incidents are manageable. As a baseline this should include prioritising patches, modifying security controls including firewalls and updating Anti-virus and IDS signatures. There is even free technology available to help even the smallest of businesses to prioritise and obtain remediation advice for some of this.

Business processes define policy, not the other way around - There is no boilerplate security policy that works for an organisation all of the time beyond regulatory requirements. Organisations need to make sure that their incident response programmes fit in with the current and evolving business objectives, and this means involving business managers from the start. With everyone on the same page, the chances of a successful programme are increased. Together, identify the critical parts of the business, define the worst case scenarios and consider what makes the business vulnerable: this will help the team work out how it can keep the threats manageable and review this regularly to accommodate the changing threat landscape.

Security monitoring is essential - As the name implies, incident response involves responding to some indicators of an actual or potential incident. It is only possible to identify these indicators through active security monitoring. These contextual pieces of information can be drawn from a number of technical and administrative sources. The indicators then become actionable and help teams to build up threat intelligence on a certain style or mode of attack. This in turn helps them to discover the elusive needle in the haystack more easily and efficiently.

It needn't cost the earth - While the task at hand can seem daunting and costs can easily grow, it's comforting to know that there are resources freely available on the internet to help. You just have to know where to look - and of course the AlienVault Open Threat Exchange is a good place to start! It's free to join the community and arms users with real-time, actionable threat information and effective security measures.

Once these principles are considered, organisations may then also find it useful to build an incident response framework incorporating both the business and technical information into a single view. This way, analysts can spend much less time learning individual security control technologies and spend much more time analysing, finding patterns and making better decisions. Bottom line is that the preparation for building an incident response programme can go a long way towards the its successful implementation. NC