How to institutionalise security incident response
When it comes to security incidents, it’s not a matter of if or when, but what next? No security team ever keeps a perfectly clean sheet, and the planning you do now goes a long way towards determining how effectively you respond when something goes wrong.
Speaking ahead of a webinar to be hosted in South Africa, Cloudflare says it can be too easy for security leaders to get distracted with risk quantification, product purchase and solution implementation.
Meanwhile, you might not put enough effort towards actual crisis preparation.
You can’t buy institutional strength. Instead, it requires hard work from the leadership and team.
Here are Cloudflare’s strategies for creating an incident response plan and integrating it into your organisation:
Prioritise high-risk areas
Common examples of these high-risk areas include:
- Code vulnerability
- Phishing attack
- Multi-factor authentication compromise
- Firewall breach
- DDoS attack
Although these categories are well known, consider as well how an incident starting with one of them might evolve overtime. For example, you might get knocked offline, but what’s the plan if internal communication goes down too? Or if an employee account gets compromised while the attacker moves laterally into another area of the company?
Readiness for unexpected eventualities
Business continuity and crisis response are essential elements of any mature organisation. Still, few, if any, anticipated the magnitude of the COVID-19 impact. For example, the sheer speed and volume of the move to a remote workforce was totally unexpected. Nevertheless, many incident plans in place pre-COVID-19 have proven effective.
A solid incident response plan should include:
- Good case management tools
- Ability to capture decisions in real-time
- A designated, cross-functional group of people, including security, legal, communications, marketing, customer success, HR and PR at minimum
- Solid collaboration and communication tools
- Ability to collect data (logging, analysis tools)
- Third-parties standing by to augment staff (don’t wait until the crisis, as you’ll pay twice as much and get half the quality)
- A good cyber insurance policy
Also, take the time to invest in healthy relationships in case you need to reach out later, such as with law enforcement, peer companies and collaborative entities.
When a crisis does arise, here are some must-haves:
- Dedicated conference rooms
- Dedicated communications platforms
- Leaders guiding teams to clear their schedules, refocus and reprioritise
- Document decisions in real-time
Finally, when the incident ends, it’s important to put together a written post-mortem to extract lessons learned. Instead of placing blame, focus on finding out what happened and why. It’s a good idea to wait about a week or so for this, so emotions cool down. Still, don’t wait so long that memory fades.
For incident response, communication is everything
Media fallout rarely focuses on security team configuration or what kind of tools were in place. Instead, incident communication is everything. Show empathy for the customer and build audience trust. For example:
- Get good at delivering bad news. Be crisp, technical, detailed and clear.
- Build internal trust relationships now to enable effective work during tense situations later.
- Speak to each audience according to their perspective (team, cross-functional groups, regulators/law enforcement, media, board of directors, broader employee base and customers).
Responding to a major outage - an incident response case study
In the summer of 2019, Cloudflare experienced a significant outage. It had to take down its service and quickly put it back up globally. Additionally, the incident was highly visible since customer Web sites became inaccessible. As incident planning was solidly in place, the team simply followed the game plan:
- Get the right people in a conference room right away.
- Mobilise the cross-functional group.
- Give everybody a specific job to do (note-taking, decision-making, technical analysis, customer communication, etc).
- Be available to customers immediately to explain and offer assistance.
About a week later, Cloudflare published a detailed post-mortem. This transparent, detailed communication generated a great deal of goodwill with customers and industry partners. It all came from having a clear, incident response plan in place from the start.
Cloudflare, in partnership with ITWeb, will host a webinar on 3 November to outline how security leaders can develop the institutional strength that defines a truly solid incident response plan. For more information and to register for this event, go to https://itweb.co.za/webinar/cloudflare-institutionalising-incident-response/registration