Security Incident Management: Preparing for the Worst

Expert Perspective — By on December 7, 2012 at 8:00 am

This article is part ten in a twelve-part series on information security fundamentals for small and medium-sized businesses.

Bad things happen, and the organizations that can successfully ride out those rough waters are the organizations that take time to plan for those bad things ahead of time.

Well-informed business owners understand that information security isn’t just about preventing a breach of confidential information. It’s also about ensuring that systems and applications are there when customers need them to be, and about ensuring that no one makes unauthorized changes to that same data. Information security pros tend to refer to this as the CIA triad: confidentiality, integrity, and availability.

Jerod Brennen

The first step a business owner should take when building out a security incident management program is…wait for it…document your security incident management policy! While this policy is going to be similar to the other policies you’ve created while following this series, a security incident management policy has two key elements.

First, it outlines who is responsible for what during (and after) an incident. Second, it clearly defines what exactly a security incident is.

If your organization handles health care data, for example, chances are that you’re already aware of the OCR’s breach notification requirements. So what happens when a front line employee starts using the word “breach” to describe an email that contained electronically protected healthcare information for a dozen patients?

By defining in policy what constitutes a breach, you can reduce the likelihood of heading down an unnecessarily expensive incident response path.

Once your policy is in place, it’s a good idea to also document relevant security incident management procedures. These are the step-by-step actions for responding to an active incident, as well as the necessary cleanup actions once an incident has been resolved. If you’ve already performed a risk assessment, you should have a pretty good idea what types of incidents are most likely to impact your organization. You can maximize your investment in incident response resources by relying on that risk assessment for guidance.

While your first instinct during an incident may be to unplug devices from the network, that’s not always the best case. Post-incident, you may need to fine tune your controls to prevent another such incident from occurring.

You may also want to submit a cyber-liability insurance claim in order to recoup some of those incident response costs. In either case, you can ensure you have the information you need if you proactively document procedures for gathering and preserving evidence.

With your policy and procedures in place, the next step is to train employees on how to identify and responds to security incidents. One of the most effective training techniques you can use is a tabletop exercise. Just ask Facebook.

They spent the entire month of October hacking their employees for this very reason. There’s no better way to assess the effectiveness of your incident response tools and training than by simulating an actual attack.

Although properly trained employees are the first line of defense against information security incidents, the log data generated by your systems and applications can also tell you a lot about incidents before they happen. Centralizing your log data in one system is step one.

Step two is to implement a Security Information Event Management system that has the ability to monitor that log data for patterns and trends and then correlate data across multiple systems. A properly tuned SIEM can let you know when an attacker is performing recon of your systems before that hacker begins the attack itself.

Another important aspect of security incident management is the tracking and reporting of all security incidents. Whether you do this via a ticketing system or a spreadsheet on the security manager’s laptop, it’s critical that you keep a record of every incident that hits your organization. You’ll find this record of incidents incredibly valuable when you need to analyze security incidents for trends to determine which controls you need to invest in and which controls aren’t worth the money you paid for them.

To recap, every business owner should do the following:

  • Document a Security Incident Management Policy
  • Document relevant security incident management procedures
  • Document procedures for gathering and preserving evidence
  • Train employees on how to identify and respond to security incidents
  • Implement a Security Information Event Management system
  • Track and record all security incidents
  • Analyze security incidents for trends

In the next article, we’ll tackle Business Continuity Management.

Jerod Brennen (14 Articles)

By day, Jerod Brennen is a principal security consultant with Jacadis, an award-winning security solutions and services provider. By night, hes a husband, father, writer, filmmaker, martial artist, and social media junkie. Jerod has more than a decade of information technology, infosec, and compliance experience. He spent years as an information security specialist with American Electric Power before moving to Abercrombie & Fitch to build out and manage its information security program. Jerods approach to infosec has two key tenets: don't be afraid to void warranties, and you shouldn't need to bypass security to get your work done. Follow him on Twitter at @slandail.