In today’s world of massive data breaches and constant cyberattacks, it’s important to stay vigilant and have a solid Incident Response Plan in place to identify and mitigate potential security incidents. Here are five important steps to have covered in your plan.
Detection / Discovery
It’s important to have systems and tools in place to help detect and discover potential incidents. These include monitoring logs and scanning for vulnerabilities. Automatic notification of identified anomalies goes a long way towards help you close gaps and mitigate damage. It’s also important to have a system to track incident response, what was identified and what was done as a result to remediate it.
Acting quickly is key to minimizing potential damage. It’s important to take steps to quickly identify and investigate potential security incidents and quickly work to reverse gaps. By acting quickly, the impact to infrastructure, amount of data compromised, and recovery time can be reduced. The incident should also be classified according to its impact and other specifics.
Analysis / Investigation
If warranted, an organization may want to perform a forensic investigation for a specific incident to gain a better understanding of the intrusion and the attacker. It’s important to extract information from compromised systems while preserving the original data in an unaltered state. The goal is to understand the level of malicious activity that has occurred, how it was done, and what damage has been done.
Once an incident has been identified and investigated, the underlying problems that allowed the incident must be remediated and system operability restored. It’s important to fully eradicate any security vulnerabilities that lead to the incident and patch or reconfigure systems to prevent similar incidents in the future.
Post - Incident
After an incident, steps should be taken to learn from the incident to prevent falling victim to a similar event in the future. The organization should take steps to document the tactics, techniques, and procedures used by attackers and update the organization’s threat intelligence. Other steps may take the form of awareness training for employees or more frequent discussions with management about security needs.
Need help with your incident response? See how SOCVue can help your organization gain the visibility needed to provide timely incident response and meet compliance objectives.