The Basics of Cybersecurity Security Incident Response

Security incidents, cyberattacks, and data breaches are a serious issue that’s becoming prevalent as more companies begin to digitize their operations. These incidents could be quite costly as well; in 2016, an article by Fortune stated that data breaches cost companies $4 Million on average and that the cost per record stolen in a data breach is at $154 on average. However, this cost could be reduced by $16 per record through security incident response.

Some business software developers and companies such as ServiceNow have security software and/or platforms that not only offer vulnerability or security incident response and analysis but can integrate with other operations managed by software under the same platform — allowing centralized and comprehensive management of the company’s security and operations.

Although it would be more convenient to have the same platform or security software, one still needs to know the basics of security incident response to determine if the software or platform is indeed effective, and find out what else could be done to improve the company’s security:

What Is Security Incident Response

Security Incident Response, or simply Incident Response (IR), is the organized approach during and after a cyberattack. The main objective of IR is to stop the attack, limit the damage and cost of recovery, and make necessary improvements and adjustments to avoid similar attacks in the future.

Ideally, a company should organize an Incident Response Team (IRT) composed on IT staff and other representatives from each division/department that would enact the “incident response plan” which is a pre-made list of instructions outlining the steps to take in case of a cyberattack.

Six-Step Process of Incident Response

SANS, the largest and most trusted information security training institute, proposed a six-phase plan for incidence response that have been used a standard in IR management:

1. Preparation

A business/company/organization should organize a dedicated Incident Response Team, and carefully plan out an incident response plan. The IRT should be made aware of potential threats and should be well-versed with the incident response plan. Preparation also entails employee training on data security and the consequences for incurring any security violations.

2. Identification

The company should define what qualifies as a security incident that warrants IRT to be mobilized. As such, any potential security issue or incident should be identified and acted upon based on the IR plan/guideline.

3. Containment

Once identified, the next step would be to stop and limit the damage. The IRT will be isolating and/or removing the affected systems to prevent it from spreading and causing further damage.

4. Eradication

After isolating the issue, the IRT will have to find the origin of the attack and purge it from the affected systems.

5. Recovery

Once the affected systems have been thoroughly “cleaned” and restored after the security incident, it will be returned to the production environment and ensure that operations resume as normal.

6. Lessons Learned

A complete incident report and analysis will be required to learn from the incident and make plans or take the necessary precautionary measures to prevent attacks of the same nature. The incident response plan should also be updated constantly to accommodate any possible future threats.

Having a Security Incident Response team and plan is just as important as a having earthquake or fire emergency plans. Even the biggest companies still suffer from cyberattacks, which is why having only preventive measures isn’t enough. A company should always be prepared and organized in the event of a successful security breach.