A Cybersecurity Incident Management Crash Course

Cybersecurity attacks and threats aren’t going anywhere. In fact, it was reported by Security Boulevard that there have been over 445 million cyber-attacks detected as of May 2020. As our society increases its reliance on technology there is an equal increase in the ever-present threat of a compromise to both personal and professional digital security. This reliance on technology feeds the nefarious attackers that look to access our confidential information and signals the importance for proper data security and data management.

This is why establishing and cultivating your cybersecurity incident management program is so important for your organization.

What is Cybersecurity Incident Management?

DataInside provides a helpful definition for us to get an introduction to cybersecurity incident management. DataInsider defines cybersecurity incident management as the process of identifying, managing, recording, and analyzing security threats and incidents in real-time. Cybersecurity incident management seeks to give both a robust and overarching look at all security vulnerabilities within your organization’s IT infrastructure. These vulnerabilities range from an attempted attack to an active threat to a successful compromise or security breach. Security incidents can involve anything in the policy violation and data access sphere with attractive data for attackers, including health history, financial information, social security numbers, and personal identity records.

As cyber-attacks continue to grow in volume while becoming more and more complex and destructive, organizations have to be prepared to handle the incidents correctly. This is where effective incident management comes into play. In addition to rolling out an effective cyber defense program, it’s equally as important to establish a system for quickly identifying and addressing attacks in order to minimize the lasting damage of compromise. The honest truth is that is isn’t a matter of if you’ll be attacked, it’s a matter of when. When attacks happen, you need to be ready and need to manage incidents correctly. You do this with effective incident management.

The Cybersecurity Incident Management Process

Cybersecurity incident management utilizes a combination of hardware and software systems, as well as human-driven dissection and analysis. The process for cybersecurity incident management usually starts with an alert that an incident has occurred in some shape or form. This alert usually comes from a specific incident response team. After this, incident responders dissect and analyze the specific incident to determine its scope, assess the damage, and develop a plan to mitigate the incident.

The strategy for cybersecurity incident management is a multi-faceted one, but one that must be implemented to ensure the IT environment is safe and secure from the threat. To mitigate the complexity of the process, many security teams and organizations utilize the ISO/IEC Standard 27035. ISO/IEC Standard 27035 is a five-step process for effective and thorough incident management.

The ISO/IEC Standard 27035 for Incident Management

(The following was sourced directly from IISecT Ltd.’s SO 27001 security website)

“The standard lays out a process with 5 key stages:

1. Prepare to deal with incidents e.g. prepare an incident management policy, and establish a competent team to deal with incidents;
2. Identify and report information security incidents;
3. Assess incidents and make decisions about how they are to be addressed e.g. patch things up and get back to business quickly, or collect forensic evidence even if it delays resolving the issues;
4. Respond to incidents i.e. contain them, investigate them and resolve them;
5. Learn the lessons – more than simply identifying the things that might have been done better, this stage involves actually making changes that improve the processes.

The standard provides template reporting forms for information security events, incidents and vulnerabilities.“

Best Practices for Cybersecurity Incident Management

When a cyber-attack takes place, multiple activities occur all at once. This conflux is hectic for security teams without a real structure or true operational standard in place. Teams without proper coordination and incident management procedures often operate inefficiently, which can spell doom for your organization’s crown jewels. Both preparing in advance and establishing a clear incident response plan allows your security team to work in harmony. With this being said, here are some best practices for your team’s cybersecurity incident management program:

• Identify the data that is most precious to you and make sure it’s actually protected! Additionally, establish that data as a high priority to your security team.
• Ensure your incident response plan aligns with other plans and policies so your team is cohesive and operationally sound.
• Test and update your incident response plan as your team learns more about its usefulness and effectiveness. Policies can become outdated quickly, especially in cybersecurity, so it’s important to stay agile with your procedures.
• Make your plan easy to implement. You don’t want your team struggling to understand or implement a plan while a malicious attack is taking place. Your plan should include specific procedures and ensure policies that are clear yet concise.
• Stick to the script. Your incident response plan, if thorough and accurate, is a great resource that should be used to defuse the situation. Manage your stress and fright by sticking to the game plan.
• Don’t just fix and forget. This tip is one of the most important, as an attack attempt signals the desire for that data to be obtained. Make sure to continue monitoring for suspicious activity and be on the lookout for new incidents.