How to Implement a Security Incident Management Framework

Facing a near-constant barrage of threats, IT security professionals say they now spend so much time responding to unexpected emergencies that they have little time to develop more strategic projects and initiatives. Given the increasing scale and sophistication of today’s threats, that type of incident-driven approach to security is no longer sustainable.

Instead of constantly reacting to attacks with off-the-cuff mitigation efforts, organizations need a formalized plan of action that will ensure a consistent and reliable response to emerging threats. Studies show that companies with detailed incident management processes in place save an average of more than $1 million on the total cost of a data breach due to their ability to respond to threats quickly and efficiently.

A security incident management plan is a set of policies and processes for detecting, managing, mitigating and analyzing security threats in real time. Having such a framework helps ensure your IT security team isn’t constantly improvising responses to new attacks.

Surprisingly few organizations have made such preparations. According to an IBM Security study, less than a quarter of enterprises have an incident response plan that is applied consistently across the organization. Less than half of those with a plan test it regularly.

You don’t have to start from scratch to develop an incident response plan. A number of standards groups and cybersecurity firms have developed frameworks that can be adapted to an organization’s particular preferences. The ISO/IEC 27035 international standard is generally regarded as one of the leading models. Published jointly by the International Organization for Standardization and the International Electrotechnical Commission, it outlines the following five-step process for incident management:

Prepare and Plan

• Work with IT staff and other stakeholders to develop a high-level document outlining general procedures for handling cybersecurity incidents.
• Establish a competent incident response team that will be responsible for responding to all cybersecurity incidents.
• Develop a detailed classification scheme for grading and prioritizing incidents.
• Implement a security awareness training program.

Detect and Report

• Monitor firewalls, intrusion prevention systems, antivirus and other indicators for signs of an attack.
• Analyze log data from various systems and devices.
• Document all activities in a dedicated incident tracking system with time, date, contact information and general observations.

Assess and Decide

• Evaluate all information collected in the previous phase to determine if the incident represents an actual security threat or a false alarm.
• Prioritize confirmed threats based on the classification scheme developed in the first phase.
• Assign incident response actions to appropriate persons, along with recommended procedures.

Responses

• Remove affected systems from the network, isolate impacted servers, and create backups and disk images to interrupt an attack and prevent additional damage.
• Use automated actions where possible to gather relevant metrics, distribute incident reports, disconnect infected systems, run vulnerability scans and more.
• Block communication with command-and-control servers.
• Remove malware from all affected systems.
• Remove accounts or backdoors left by attackers.
• Install security patches on affected systems.

Lessons Learned

• Conduct cyber forensics to understand how an incident happened and how it can be prevented in the future.
• Document the entire incident response process and conduct meetings with the incident response team to discuss decisions made during the process and how they might be improved.
• Identify any areas of concern and adjust awareness training efforts to address any shortcomings.

Security incident management plans can help companies quickly respond to threats in order to limit the damage but implementing these plans can still be a challenge for short-staffed IT teams. With incident management incorporated into our portfolio of security services, Technologent can ease the pain of developing a response plan. Contact us to learn more.