Incident response planning: Are you ready for the Big One?

Brian Musthaler
By | June 25, 2012

Posted in: Network Security Trends

Do you remember the Sony PlayStation Network hacking last spring? An attacker gained access to personal information stored on both the PlayStation Network and the Qriocity online music and video service. The breach affected the accounts of 77 million people worldwide. When the breach was discovered, Sony took both services offline for more than a week to prevent any further attacks. Meanwhile, Sony waited almost a week to tell its customers what was going on.

Sen. Richard Blumenthal of Connecticut wrote a letter to Jack Tretton, president of Sony Computer Entertainment. "Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised," he wrote. "Nor has Sony specified how it intends to protect these consumers."

Clearly it appears that someone dropped the ball when it came to notifying customers that their personal and financial information had been compromised.

I share that little tale with you to introduce the topics of incident response planning and incident response teams (IRT) for organizations of every size. While businesses typically undertake great efforts and expense to mitigate and manage their security risks, and develop disaster recovery and business continuity plans, it’s not uncommon for them to be like the “deer caught in the headlights” when it comes to responding to a major security incident. Unfortunately, not just Sony but a lot of companies struggle with incident response, even though there are many good guidelines that are readily available. (See the US-CERT article Defining Computer Security Incident Response Teams and the SANS Security Institute’s reading room of article on incident handling. There’s also the ITIL 2011 Incident Response guide.)

On the surface, I and others believe that even when organizations are following their Incident Response Plan (IRP) processes, they are still struggling. Is this due to lack of testing? Maybe, when you consider McAfee’s 2012 State of Security Survey, which showed that one-quarter of the organizations never rehearse incident response scenarios or do so only after an incident has occurred.”

While it’s desirable to have a IRP that anticipates every kind of event and that has every response step documented. But when you receive an urgent call at 3 a.m. on a Saturday morning, you suddenly have to remember what you have to do for that specific situation. Now magnify this by every person who has to quickly jump into action. In reality this is very difficult and many companies struggle not only in creating an IRP, but also in the execution of one.

The majority of times IRPs are very manual in nature, and manual workflows take longer to respond to. Many areas of an organization – ranging from availability of resources to a timely approach to communicating a breach to the regulators, partners, and customers – are negatively affected with highly manual IRPs.

To get away from manual plans and to leverage existing automated risk and control solutions, we’re starting to see a trend where progressive organizations are using incident lifecycle management (ILM) software solutions to bring a level of automation to their incident response process. ILM is a software solution set that helps enforce the incident response processes that organizations initially put on paper and helps automate the data collection, investigation, risk assessment, remediation, approval, review, and the reporting associated with incident response.

These activities are performed within a centralized system which also allows organizations to better audit and assess the effectiveness of the policies and controls they have in place. It also helps guide the stakeholders on how to respond during an incident. For instance, by automatically routing and assigning incidents by their type, their severity, and on the effected assets to the particular stakeholders, the ILM system sends out alerts which include escalation functions to specific members of the IRT.

An ILM system takes all the data input from source systems (such as governance, risk and compliance, risk management, and point security and control solutions) into account and calculates a risk indication automatically. Furthermore, based on the risk, specific actions can be triggered. For example, this is an incident that does not need to be disclosed and therefore only requires internal remediation, or it has such a high risk score that it triggers actions including disclosure in an effort to mitigate brand damage.

Very large and dispersed organizations are trending more to leveraging these software tools. While not every organization needs an ILM system, every organization does need to address the following common sense points when embarking on incident response planning:


  • Pull in subject matter experts (SMEs) from across the organization, but especially from the line of business units. These people should have in-depth knowledge of what organizational assets are at risk.

  • Organizations must plan for worst case scenarios beyond just IT incidents; for example, key executives are lost in a plane crash, as happened to Tesla Motors in 2010.  Incident response planning is not just about cyber security and technology, but also the broader base business issues.

  • Consider which stakeholders must be part of the incident response team. The IRT will need to be composed of people from IT management; security (both network and physical); corporate security (if you have such a group); legal for determination of what documents and messages can or must be shared with the public; human resources; corporate communications and/or public relations (especially for larger organizations to help manage brand impact and public reputation); people from the business unit(s) to provide the perspective of how the business will be impacted by an incident; and the compliance management and internal auditors for various control and compliance oversight roles. And of course, you need an executive sponsor to have a successful IRT.

  • Remember that the final goal of the plan is to contain, investigate and recover from any type of incident.

You May Also Be Interested In: