This article was first published on DevOps.
In a perfect world, every organization could block every attack, no employee would ever make a mistake, and there would be advance warning that an organization might be on some cybercriminal's list of targets. Since organizations operate in a world that is far from perfect, however, they are forced to accept that bad things will happen. History and headlines show they cannot erect enough barriers to stop criminals from trying to penetrate defenses, they cannot hire perfect employees, and they will have to assume that their organization's name has been bandied about as a potential target.
About all they can do is use each incident as a learning opportunity by conducting a thorough postmortem. However, if organizations want to maximize the benefits of a post-incident analysis, they should remember two things — agility and blamelessness.
To a developer, agility is a development methodology that provides significant benefits over the traditional waterfall method. However, agility implies a system of thinking, processing information, and executing plans. As such, agility belongs in the realm of cybersecurity as much as it belongs in the realm of development.
Currently, the advantages offered by agility tend to be reaped more by cybercriminals than by cybersecurity professionals. The bad guys get to go first, and since they are not bound by compliance issues or regulations, have no concern for the rights of individuals, and do not have to answer to advocacy groups or government agencies. They have the advantage. Cybercriminals embrace agility to launch attacks that can change from one day to the next.
Unless cybersecurity professionals are as agile as the crooks, they will be limited to reacting to incidents instead of proactively preventing them. One way to help level the playing field is to build in the ability to move quickly when an incident occurs — including a plan to conduct an effective, thorough, and efficient postmortem.
However, a postmortem implies that the incident is over and is now undergoing a final review. If organizations are truly agile, they will have conducted at least one retrospective prior to the postmortem. Agile retrospectives are conducted to assist the team in making immediate changes and are more about action than review.
To get started on crafting your own tailored incident report, download our report template below.
For security incident postmortems to be effective, the second key is to ensure that postmortems are blameless. The end goal is to get to the truth so that organizations can protect their operations in the future. Assigning blame can make it much harder to uncover the truth.
For example, if an employee clicks on a link that turns out to be a bad one, he or she might be afraid to admit the mistake if the possibility of private chastisement or public blame exists. Instead of being able to deal with the incident immediately, organizations may have to waste time searching for the reason that every employee's computer is infected with malware. Therefore, the postmortem must be blameless and cordial — with no finger-pointing allowed. Keep the focus on what happened rather than who is responsible.
Postmortem Best Practices
With the two "prime directives" for conducting a postmortem highlighted, it is time to move on and discuss a few other points that can help organizations gain the most from their post-incident evaluation. First, they will need to do their homework on the incident to learn precisely what happened and how it can be explained concisely, accurately, and appropriately. If the chain of events is not understood, an organization will not be able to enlighten team members or non-technical employees.
Next, the incident should be used as a learning experience. The goal should be to ensure that the problem will not occur in the future. Evaluate whether the issue is a simple employee mistake, a tool on which staff members were not trained, miscommunication, or a process that is broken. Keep everyone focused on preventing another occurrence, as well as ways to achieve continuous improvement.
After the facts are uncovered, an organization must take action. Ignore "should have" and "could have" statements. Focus energies on "will" and "must." Establish priorities and assign follow-up actions before ending the postmortem.
Make sure that employees and team members know that they are welcome to discuss potential issues whenever they arise. For example, employees may need guidance on whether an action is safe, team members may need to confess that they made a mistake, or supervisors may want to discuss ways to help workers learn how to identify suspicious emails.
Trust and communication are essential if organizations want to gain the greatest benefit from their postmortem. They need to stay open and approachable so they can reduce the number of incidents, improve incident response, and strengthen their company's defenses.
For more topical security content, subscribe to email updates from Demisto below.