Incident response is an organised approach to addressing and managing the aftermath of a security breach or cyberattack. It is sometimes referred to as an IT incident, computer incident or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
It can be argued that the dramatic increase in cyberattacks in recent years, the variety, notoriety, and the severity of impacts warrant a revisit of incident response strategies and technologies.
According to a report by Red Canary, 49% of organisations surveyed are not equipped to meet cybersecurity challenges, while 54% are wasting valuable time investigating low-level alerts and slowing down the incident response process.
Framing the dialogue with FutureCISO around cyber security, Pei Yuen Wong, CTO of IBM Security, ASEANZK, defines Enterprise Incident Response (EIR) as having the ability to be able to detect an incident in the first place amidst all the legitimate activities that are happening on the attack surface, followed by having the right level of skills, effective processes and appropriate technologies to perform an investigation to piece together the puzzle on what is actually happening and which systems are affected, and finally being sufficiently capable to take the necessary steps to eradicate the threat and contain the damage if any.
He added that depending on the severity of the incident, leaders of the enterprise should also be prepared to form a crisis management team that also includes legal, communications, regulatory affairs, and other relevant experts to deal with questions and issues that may arise from the media, regulators, and the public, because of the incident.
“All these are essential to an effective EIR capability that any enterprise in the digital age today needs to have to be resilient against rapidly evolving cyber threats and continue to function as a business in the event of any incident big or small,” he continued.
COVID-19’s impact on EIR
According to Wong, the acceleration of digital transformation since 2020 has had a profound impact on EIR. He noted that the onboarding of more technologies implies more vulnerabilities inviting more attempts by threat actors to exploit these.
“Threat actors have also shifted the profiles of their targets, as they now find certain geographies and industries more lucrative and rewarding compared to before. Health and safety management measures due to the pandemic itself have also resulted in the need for Enterprise Incident Response processes to be updated,” he opined.
A need to update EIR
Wong believed that against the backdrop of increased threat activities, detection accuracies need to be improved by many folds so that incident responders can spend adequate attention on real incidents instead of dealing with false positives which many enterprises still need to contend with, unfortunately.
“Response and recovery plans also need to be updated for consistency that considers the diverse nature and rapidly growing footprint of business-IT systems in the enterprise, and to ensure that IR scenario planning and recovery processes are sufficiently robust and comprehensive,” he suggested.
He also posited the need to leverage automation in incident response using cyber security technologies such as Security Orchestration, Automation, and Response or (SOAR) platforms.
Where security teams should focus
Wong acknowledged that there is no one organisational model that fits all organisations. What is important he commented is that when a crisis is declared (as in an attack), the people in the room must be empowered to take steps immediately.
“For enterprises to be resilient and do well in the event of a cyber incident or crisis, it is, therefore, crucial that a good governance framework is drawn up that clearly defines who is accountable for cyber security under what circumstances, what decision making mandates this person or committee has during a crisis, and so on,” he proposed.
Composition of a post-COVID CSIRP
Gartner noted that in 2021 10% of breaches involved ransomware, a number expected to rise in 2022 which means that all security and risk management leaders must prepare. "The key tools are a documented response plan and a detailed playbook for the incident type to allow the leader to act fast," noted the analyst.
According to Wong, the essential elements of a cyber security incident response plan (CSIRP) remain by and large the same even post-COVID, namely (1) preparation; (2) detection & analysis; (3) containment, eradication & recovery; and (4) post-incident review.
Blind spots of EIR and CSIRP
Wong concedes that on paper, most enterprises have documented incident response plans as compliance or audit policies would typically require organizations to have an IR plan in place.
In practice, many incident response personnel do not refer to the IR plans after they have been created and would instead just rely on the individual’s experience and expertise to respond to an incident when one arises. This results in inconsistencies in responses event when two incidents are similar.
He suggested that enterprises encode the incident response plans into automated, repeatable playbooks using security automation platforms. He also cited recovery strategies as another weakness.
He suggested conducting real exercises to verify recovery systems and processes in the response and recovery plan where possible, not just tabletop exercises.
Critical issues for CISOs
For leaders in the enterprise, there are many issues to consider in establishing and maintaining a robust Enterprise Incident Response plan.
“I would summarise these into a few key points: build the right team, practice is key, speed to decision-making is critical, and negotiate external resources in advance,” he concluded.
Click on the PodChat player to listen to Wong’s detailed strategies for futureproofing enterprise incident response strategies.
- What is Enterprise Incident Response (EIR)?
- How has it changed (or not) between 2020 and today?
- Given the increased cyber threats, should enterprise incident response strategies be updated to reflect this new reality?
- In lieu of this, should a new team be created to focus squarely on cyber risks or would updating the overall EIR be sufficient?
- What should be the composition of a post-COVID CSIRP?
- In general, where are the blind spots of many EIRs or CSIRPs?
- What do you see will be critical issues that CISOs and leadership must tackle to ensure the organisation’s EIR/CSIRP are ready and able to stand up to the challenges ahead?