The Latest in IT Security

Strategic Incident Response: The Art of Choreographed Reaction


Making Incident Response a Top Priority and Developing a Policy and Process Can Limit The Damage Caused by a Data Breach.

In today’s increasingly interconnected business environment, data breaches have become a fact of life. The recent massive breach at Target is just the latest example. But a breach no longer has to sound the death knell for a business. How an organization responds to a breach determines the financial and brand impact it will have. If it’s done wrong, there can be significant financial and reputational repercussions. If it’s done right, a business impacted by a breach can actually draw praise from customers, business partners, and regulators. So what steps are required to handle a breach and how do you implement them in a well-choreographed fashion so that your organization can respond to any incident?

Even large enterprises with million dollar budgets are not immune to hackers and information theft. One good example was the widely publicized breach experienced by Adobe Systems where information on 38 million customers was illegally accessed and source code for several of its products was reportedly stolen. This was a potentially disastrous incident; however, Adobe’s response demonstrates that when done right, the company’s brand and financial position can remain solid. Adobe choreographed a swift response. They provided sufficient information about the scope of the breach and the measures they were taking to minimize the impact to customers. As a result, the company’s valuation did not suffer. In fact, Adobe’s stock price increased the day after the breach was announced.

Unfortunately, not all organizations have such a well-oiled incident response management program. A prime example of incident response done wrong is the breach that targeted the Department of Revenue of South Carolina. After being informed by the U.S. Secret Service of a data breach that involved 3.8 million Social Security numbers, 3.3 million bank account numbers, and information for nearly 700,000 businesses, the Department of Revenue of South Carolina allowed more than two weeks to lapse before they informed the public. Then Governor Haley fumbled. She initially told the public that the breach was sophisticated and couldn’t have been prevented. When it became obvious that the agency had not implemented even basic security measures, such as encrypting the personal (and regulated) data on its citizens, she was forced to back-pedal on her earlier statements, making her appear either deceitful or ignorant. The subsequent fallout included the firing of several high-ranking agency employees and cost the state millions of dollars in compensation for fraud alert services.

So what steps can be taken to implement and leverage incident response management as a valuable weapon for limiting material or reputational damages associated with data breaches?

Organizations should begin by establishing a policy that defines in detail what constitutes an incident and laying out a step-by-step process to be followed.

First, gather the right people to form the incident response team. US-CERT and the SANS Institute have assembled best practices for creating an incident response team. This group should include security and general IT staff as well as representatives from legal, human resources, and public relations departments.

According to the SANS Institute, there are six main steps to handling an incident effectively. The preparation phase includes policy development, logging review guidelines, disclosure practices, tabletop exercises, compliance integration, and ongoing training of users and IT staff. Steps two through five focus on how to respond to a security breach, including identification, containment, eradication, and recovery. These steps entail incident classification, digital forensics, malware analysis, system restoration, and public disclosure. The final step is post-incident analysis, which is important for identifying lessons learned, document gaps, and necessary enhancements using a closed-loop process.

To implement and sustain a winning incident response management process, senior management must be on-board. Incident response management doesn’t work well when it is an ad-hoc process that can be abandoned in the next round of budget cuts.

On paper, incident response management sounds straight forward and should be simple to implement. However, the rubber meets the road when an incident occurs and a response is required. Will members of the incident response team remember their duties and fellow stakeholders when they receive a call about an incident on a Saturday at 4:00 a.m.? In most organizations, the answer is no. Why is incident response management in the field so difficult achieve?

Policies and stakeholder information are typically contained in multiple and dispersed documents, which makes it challenging to quickly access when a security breach occurs. This can result in a delayed or inappropriate response. Furthermore, organizations that use manual incident response processes must rely on human interaction to share information and alert stakeholders, which can delay response times even further. This basic lack of alerting and escalation functions often leaves an organization vulnerable.

In the midst of a breach, it is extremely difficult to effectively prioritize the remediation response. In today’s dynamic risk ecosystem, even smaller organizations face hundreds of incidents on an ongoing basis. Organizations must determine the order in which the incident needs to be remediated. This should be done based on the level of risk and business impact. Calculating risk and business impact is difficult, if not impossible, without input from and analysis across the organization’s infrastructure. Automated tools can assist with risk determination and prioritization. Once the organization has determined its incident remediation strategy, the next step is to track the process of remediation – how long it will take, who is responsible, and who will take action to ensure remediation is accomplished within the timeframe established.

Ultimately, the biggest challenge associated with incident response management is documenting the entire process. In many instances, once an incident is identified by one group, the remediation actions are executed by a different group. Without interconnectivity into remediation systems and a centralized repository for capturing this data, it becomes almost impossible to establish an audit trail and determine how effective remediation actions were, whether they were brought up to compliance, or how they could be or must be improved or rectified.

The fact that organizations are relying on human interaction and dispersed systems can lead to major deficiencies and slow down an organization’s responsiveness. To overcome these shortcomings and streamline the overall process, some organizations are turning to incident response management software. A software-based approach helps organizations collect data from a variety of security and IT tools as well as other applications such as spreadsheets. It can aggregate the data and calculate the preliminary risk and business impact, enabling an organization to more effectively prioritize their response plan actions and timing. These systems also route and assign incidents based on type, severity, or affected assets; alert the assigned stakeholders, and provide for escalation if needed. Ultimately, all remediation efforts are tracked and all of the collected data is leveraged to measure controls and policy effectiveness as part of the incident post-analysis.

By making incident response a top priority and developing a well-documented policy and process that is understood by stakeholders, organizations can limit or even prevent reputational and share price erosion caused by a breach, as was the case with Adobe. Using software to automate and centralize manual incident response management processes can help reduce human error to ensure a timely, well executed response if a data breach occurs.


Torsten George is Vice President of Worldwide Marketing and Products at integrated risk management software vendor Agiliance. With over 20 years of global information security experience, Torsten frequently presents and provides commentary on compliance and security risk management strategies, data breaches, cyber security, and incident response best practices. Torsten has held executive roles with ActivIdentity (now part of HID Global), Digital Link, and Everdream Corporation (now part of Dell). He holds a Ph.D. in Economics and an M.B.A.Previous Columns by Torsten George:Strategic Incident Response: The Art of Choreographed ReactionWhy Security Cant Live Without Compliance Dont Forget to Manage Supply Chain RiskWhy Integrated Risk Management is Replacing GRCMobile Disruption: A New Dimension of Risk

sponsored links


Incident Management

Risk Management

Data Protection

Comments are closed.


THURSDAY, MAY 28, 2020

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments