Manage Learn to apply best practices and optimize your operations.

Seven steps to building an effective incident response program

Often undervalued, a well-thought-out incident response program for security breaches gets its due in this tip by Forrester Research.

Forrester Research has referred to 2011 and 2012 as the "golden age of hacking" and now, just one-quarter through 2013, this golden age is undoubtedly continuing. In the first three months of the year, Apple, Bit9, Facebook, Microsoft, The New York Times, The Wall Street Journal, and Twitter made the security breach headlines.

Rick Holland

The threat landscape isn't getting any more manageable, and the attacker techniques are growing in sophistication. Despite this, incident response doesn’t get the attention that it should.

An incident response program should be one of the strategic initiatives within the enterprise. Yet even after an organization experiences a breach, it doesn't get the attention it deserves. According to our most recent Forrester security survey, investments in incident response programs in 2011 and 2012, after a breach occurred, increased only five percentage points to 23% from 18%. In a shocking trend, 21% of organizations noted no changes resulting from a security breach.

In compiling our Security Architecture & Operations Playbook, we determined there are seven principles of highly effective incident response programs. Adopt the following, and you’ll be better prepared to adapt to the threat landscape and recover from security incidents more effectively.

1. Be self-aware

It's critical that incident response teams are aware of both their capabilities and constraints. Success depends on an objective understanding of readiness. When seeking self-awareness, incident response teams must avoid overestimating their ability to respond to a threat and know where to get assistance.

2. Understand technology benefits and limitations

The threat landscape isn't getting any more manageable, and the attacker techniques are growing in sophistication. Despite this, incident response doesn’t get the attention that it should.

Rick Holland,
senior analyst, Forrester Research

The expo floors at industry events such as the RSA Conference are filled with pervasive marketing messages around the next great piece of technology that will solve all your problems. Advanced threat protection doesn't equal a product, and there is no single solution. Despite this, technology investment outweighs incident response program investments. According to our Forrsights Security Survey, after a breach has occurred, 25% of organizations increase spending on breach prevention technologies, while 23% increase spending on the incident response program itself.

3. Establish realistic reporting and metrics

Many organizations use the wrong metrics to measure the performance of their incident response program. Reconnaissance scans don't equate to incidents, just as antivirus (AV) definition updates don't measure the success or failure of incident response capabilities. Effective incident response teams have meaningful operational metrics. Once you've established a common definition of an incident, you need to measure the time to detection, time to containment and time to remediation. How long was the adversary in your network before you detected it? How long did it take to contain the adversary, once detected? How long did it take to remediate the incident? These measurements are result-oriented output metrics. As organizations improve staff skills and deploy new security controls, these numbers should improve.

4. Make the program scalable

When dealing with global companies, incident response scalability becomes crucial. Many make the false assumption that the largest companies in the world have the most mature technology and capabilities. In reality, the size and complexity of global organizations make incident response particularly challenging. As the director of incident response from a consultancy said, "The bigger they are, the harder they fall." Process and oversight are critical for ensuring the scalability of incident response programs.

5. Collaborate internally and externally

Incident response teams don't work in isolation; they are part of a larger community. Given the overwhelming threat landscape and operational constraints that companies face, these teams must work within this larger community to have success. Successful teams build IT relationships, realize the importance of counsel and share threat information with trusted partners.

6. Engage executives

In the past, security professionals struggled to capture the attention of business leaders. Too much focus on tactical security metrics, nonalignment with business needs and a reputation as the "Department of No," have stifled business-leader interest. However, the high-profile cyberattacks of the past several years have raised executive awareness in 70% of the firms Forrester surveyed. Business leaders are reading about these cyberattacks on the front pages of The Wall Street Journal and Financial Times. Now is the time to take advantage of this and engage with executives who are ready to hear your message.

7. Operate with autonomy

More on data breach prevention

Building new barriers against data breaches

Get advice and tips from experts on data breach incident response

Compliance lessons learned from a credit card data breach

Incident response teams whose job is to fight attackers must feel empowered to make critical decisions without having to spend time seeking approval for their actions. When data is exfiltrating your network, seconds count, and you must establish a framework that enables autonomy. To enable autonomy, incident response teams must establish clearly defined rules of engagement, avoid micromanagement and manage up the chain of command. Finally, you must that ensure senior management supports the decision of the incident response analysts -- even if the response was wrong. Mistakes will happen, and when they do, security leadership must support the decisions of analysts on the frontlines. Incident response practitioners must feel that management will support their decisions and that when a mistake is made, the incident response team won't be scapegoats for the situation.

Your customers (and the public at large) don't expect your organization to be bulletproof; there is a growing sympathy for companies that fall victim to well-funded, highly skilled, organized cybercriminals. The scarlet letter associated with a breach is transitioning to a red badge of courage. A well-coordinated, well-executed incident response program that prioritizes transparent communication to customers and efforts to protect their identities and finances will enhance your organization's brand.

About the author:
Rick Holland is a senior analyst at Forrester Research, where he serves security and risk professionals.

Dig Deeper on Enterprise information security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.