Building A Better Incident Response Plan

IT security

Businesses often have outdated, rarely referenced, and inadequate incident response plans, according to security experts. pulled together tips from several firms that solution providers can use to help clients navigate through the process of establishing an effective IR plan. It begins with a standard risk assessment to gain an understanding of an organization's risk tolerance and current security posture.

Solution Providers Can Assist In Security Incident Preparation

Businesses often get service level agreements with managed security services providers to monitor system logs for threats and maintain detection systems that trigger alerts, but they often lack an incident response plan, said Rob Kraus, director of engineering research team at Solutionary, an NTT Group subsidiary.  When an organization seeks outside help to address an immediate threat, it results in expensive incident response costs, Kraus said. A security incident begins with detection, but also needs capable hands to investigate the extent of the problem and an effective response to reduce the scope of an incident and get systems running normally. An NTT Group study found that 43 percent of its engagements were related to the detection of suspicious activity that turned out to be malware.  The firm was also called in to mitigate distributed denial-of-service attacks, Kraus said.  The firm's annual study on security threats sheds light on how solution providers can help their clients develop an incident response plan to avoid costly mistakes.

Review Security Incident Handling Best Practices

The Computer Security Incident Handling Guide, a document created and maintained by The National Institute of Standards and Technology, contains detailed instructions on how to create and build out an effective incident response plan or dust off and update one that is already in place. It provides step-by-step instructions on how to plan for all issues associated with a security incident, from detecting and investigating a potential security breach to establishing media communications procedures and when to contact law enforcement. The document recommends that firms that don't have knowledgeable IT teams should consider managed security service providers. While technical staff members in a business may know the organization's environment better than outside help, MSSPs may be able to correlate events among customers so that they can identify new threats more quickly than any individual customer could, according to the NIST document.