There’s no denying it, incident response (IR) teams have a hard job: Competing priorities, managing multiple incidents simultaneously, and dealing with concerned customers. That job can become even harder at this time of year, as cybercriminals ramp up their misdoings to capitalize on seasonal events like Black Friday, Thanksgiving, and religious holidays. Add to the mix employees taking increased annual leave, and teams can find themselves pushed to the limit, with incidents mismanaged or missed entirely.

Read on to learn our best practices for IR and how we can help position IR teams for success.

Preparation Is Key

Proactive planning can improve efficiency in IR. Creating an IR plan or reassessing a plan already in place helps IR teams identify strengths in their response, as well as opportunities for improvement when managing incidents.

We recommend that teams include the following in any good IR plan:

  • A breakdown of phases teams will work through when responding to an incident. The National Institute of Standards and Technology (NIST) provides an often-used four-phase approach.
  • The roles, responsibilities, and tasks required at each phase of the response.
  • The preferred communication methods for within the team and also for the wider business.
  • A requirement for conducting post-action reviews, and implementing lessons learned into future iterations of the IR plan.

It’s also wise to leverage automated response playbooks for events. Automation can also play a critical role in IR, and by implementing it into playbooks, organizations can strengthen defense, shorten response times, and empower teams. A security operations platform permits security teams to fine tune their response to suspicious activity by automating playbooks across multiple tech stacks. This greatly reduces the attackers window of opportunity. A quick containment can often make the difference between a minor incident and impactful breach.

Don’t just create plans and playbooks, though. Be sure to test them in real-time during tabletop and red team exercises. It’s far better to find out something doesn’t work during an exercise as opposed to a live event. A breach and attack simulation (BAS) capability like GreyMatter Verify allows security teams to validate their security controls across on-premises, hybrid and multi-cloud environments. It can provide users with fully automated, field-validated scenarios that mimic likely attack situations and techniques used by malicious actors

Know Your Risk

Visibility is critical for defense, as teams can only remediate issues they know exist. By making an asset inventory, organizations can know their attack surface: where critical data is hosted, how well it’s protected, and where downtime cannot be tolerated. By understanding their assets, organizations can be better protected and prepared for worst-case scenarios.

Once you know your assets, they should be prioritized, and assessing the risks posed to the organization can help. Understanding risks, how likely they are to occur, and what impact they would have if exploited helps organizations to implement mitigations and controls to reduce those risks.

How ReliaQuest Can Help

The Detect capability of the ReliaQuest GreyMatter security operations platform can help you bolster your risk assessments by consulting your detection coverage—which is based on the MITRE ATT&CK framework. This allows you to identify whether your current detection coverage meets your risk appetite, and where improvements can be made. MITRE ATT&CK covers several attack techniques, enabling organizations to prioritize defense measures based on real-world scenarios and known adversarial behaviors, and strengthen their detection capabilities against various cyber threats. This coverage allows you to compare deployed techniques against total possible techniques available based on the technologies you own.

Count the Numbers

Collating and analyzing key metrics is a useful way to define security risk and assess whether it falls within the acceptable level for a business. Metrics can provide a high-level view, while enabling teams to identify opportunities for improvement. Examples of metrics useful for IR include:

  • The percentage of assets visible to an IR team
  • The number and frequency of performance issues in systems and applications
  • The mean time to acknowledge
  • The mean time to respond
  • The time of day incidents occur

By analyzing the mean time to respond, IR teams can identify areas that require improvement to reduce the time it takes to resolve an incident. But by collating and analyzing some of the other metrics above, teams may be able to prevent an incident occurring in the first place.

How ReliaQuest Can Help

A security operations platform like ReliaQuest GreyMatter helps improve reporting and gives security leaders real-time views of critical areas in security operations. Metrics within GreyMatter are benchmarked against previous quarters and industry peers, giving measurable insights into how your program is performing comparatively and maturing over time. It ensures effective communication of the value your security operations bring to the organization and helps you improve your security maturity over time.