The market is saturated with security technologies designed to prevent bad stuff from happening, and we also have a lot of solutions to detect if something improper is happening or has happened. The next wave of security automation is coming, and that’s the area of incident response. Precisely what should you do if a security incident has happened?
How does your company conduct incident response (IR)? Do you have a well defined process, with specific tasks assigned to specific people, and procedures to address any type of security incident that might come your way? Or is your process somewhat less organized, where the first people available with any level of expertise in the incident are called upon to take care of it?
Don’t be ashamed to admit it if your company falls into that latter category. Many do. Putting together a thorough, living, breathing IR plan and the team to execute it can be time-consuming and resource intensive. How much companies invest in a process can depend on how much is at stake when a security incident occurs. For instance, one of the world’s largest financial institutions has 1,200 people on its IR team – that’s a lot, even for a bank – and they have developed their own automation tool to codify their responses. This bank is quite invested in IR, and well they should be to protect their customers’ financial assets.
+ ALSO ON NETWORK WORLD To automate or not to automate incident response +
You probably don’t have to go quite that overboard, and there are ways to simplify the process.
Co3 Systems, for example, offers a purpose-built software product (offered as a cloud-based service or an on premise solution) that automates the incident response process and, importantly, does it based on best practices. A key part of the product is a knowledge base that includes best practices from NIST, CERT and SANS Institute, as well as all U.S. regulations relating to privacy breach disclosure. The software provides a platform for everyone within an organization to respond to and track all sorts of incidents and collaborate with each other as needed. It also ensures that people adhere to commonly accepted best practices, industry standards and the regulations that apply to the specific incident on their hands.
This solution has two components: a privacy module and a security module. Each module naturally appeals to different roles within an organization. The privacy module lends itself to the needs of privacy professionals, compliance officers, and legal teams who have to send out breach disclosure notices. The security module is favored by CISOs and information security professionals, especially those in the trenches having to remediate an issue. Depending on the type of incident, people from all of these areas may have a role in the response.
The Co3 application is similar to a trouble ticketing system. When an incident is reported (or imported, such as from a SIEM), a new entry in the system kicks off a range of activities. For example, people get assigned to work specific tasks, and the system provides the recommended best practices of what to do. As the tasks are worked, the people close out their activities. Everything is tracked along a timeline, and groups can create custom dashboards to suit their information needs.
Let’s say someone in your company receives and clicks on a phishing email. That action triggers a malware download, which subsequently allows an attacker to steal credit card data. Your SIEM was able to put all this together and it sends an automated notice to Co3 to create a series of incidents. The system is going to recommend to you what to do to clean up the infected computers, initiate a forensics analysis of the data theft, notify the proper authorities and individuals affected by the breach, and so on. There may be dozens of tasks assigned to a variety of people in the organization, and the incident may take weeks or months to be completely resolved. The tasks will be drawn from the industry best practices, and you can supplement them with your own activities as well.
Some Co3 customers have used this platform to test their ability to respond to various incidents and train their people on what to do. For example, if you want to gauge if your enterprise is ready to respond to a DDoS attack, you don’t have to wait for the real thing to happen. Instead you can simulate an attack to initiate the response and practice what needs to be done. Like a disaster recovery plan, you have to practice your IR plan to make sure you have all your bases covered before a problem strikes, not after.
Corporate legal teams – especially those in healthcare or retail – will appreciate the privacy module. It can vastly simplify having to respond to a data breach of PII, PHI, or financial data. There are at least 46 separate state laws in the U.S. that govern how to respond to a data breach, and they have different thresholds of breached records and different points of notification for the states’ attorneys general. Co3 automates the list of who to notify, and how, which vastly reduces the need to research all of that information manually.
Because this is a cloud-based platform, third parties can be brought into the response team as needed. For example, your company might use outside counsel for the legal notices, or an external forensics analysis expert to investigate a breach. All members of the response team can work from the same platform, database and information.
The Co3 incident response platform brings together the people, processes and technology to respond quickly and in a “best practices” fashion when security incidents occur.
Linda Musthaler is a Principal Analyst with Essential Solutions Corp., which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.