An effective incident response plan is only as good as the human engagement and driving force behind it. Unfortunately, this human component has its limitations.
There are only so many tasks an IT department can handle during daily monitoring, identification, and response to cyber security threats—throw in everyday IT infrastructure management, and vital forensic analysis of events and artifacts goes by the wayside.
This is where automation comes in—automation software can make or break the way your organization responds to an incident, and whether it can survive the event if the incident turns into a full-blown data breach.
Why Do Incident Response Plans Fail?
Following a cyber-attack on critical infrastructure, emotions run high and the clock starts ticking. Suddenly what appears to be a well-structured incident response (IR) plan on paper can turn into a confusing “storming session” around who owns what.This article by Susan Peterson at TechCrunch describes why Incident Response plans fail.
Read the complete article here: https://techcrunch.com/2016/05/13/why-incident-response-plans-fail/
The article cites following 4 reasons why incident response plans fail:
1. They adhere to unproven, outdated response protocols that don’t accurately or realistically address how the organization actually handles security events in real-time.
Rather than taking steps to identify, analyze, and respond to a threat, organizations often become mired in counterproductive processes and procedures that were never effective to begin with, further hindering response time and endangering the potential for a full recovery.
2. Established testing procedures are not part of the incident response plan.
It isn’t enough to simply have a plan in place; you must be confident that it actually works in the real world. Making regular testing and updating part of an IR plan should be an actual step in the plan’s procedure, not an afterthought to be dealt with separately.
Putting an incident response plan through rigorous, realistic testing will demonstrate whether a plan is effective at mitigating the risks involved in a cyber-attack.
3. The plan falls short of accounting for all of the circumstances and ramifications that can result from an incident and from lack of an effective incident response plan. Damages are not limited to networks, database, assets, and business reputation, and can include credit ratings and legal ramifications as well as being subject to an audit:
- Standard and Poor’s has announced it may downgrade a business’ credit rating if the organization demonstrates poor cyber security practices
- Various state and federal laws require certain organizations to maintain compliance protocols and implement appropriate security safeguards
- Audits have begun to take place in the healthcare sector, and non-compliant organizations are met with civil and criminal penalties.
4. Forensic analysis of event history and artifacts never takes place and is not part of the incident response architecture.
Learning how and why your attacker was able to exploit vulnerabilities in your network is an important step in identifying future attacks and mitigating long-term consequences.
Automation Provides Streamlined Correlation of Forensics to Identify Threats in Advance
Automation software can help you correlate incident events and artifacts by using established patterns and powerful search capabilities. Automation also allows you to scale incident investigation, reporting, and response.
By correlating artifacts and events, incident meta-data, and comments in ongoing forensic investigations and forensic history, automation software can proactively identify threats and any related incidents in progress or lurking in the background.
If your goal is to create a resilient response effort where your team can learn from past and ongoing incidents, we can help. Contact Demisto for a free trial of Demisto Enterprise to keep your business up-and-running during any potential breaches and data disasters.