Key Points

• Cybersecurity benefits from small, incremental changes that are regularly implemented.
• Documentation is vital for the sake of transparency, compliance, and post-mortems.
• Team members should have clearly defined roles and responsibilities.

Ably handling incident response is what separates great security teams from mediocre ones.

We live in a fast-paced world, and digital threats are arising every day.

If you stay stagnant, you risk the whole of your organization’s infrastructure.

The best security teams are making use of cycles of continuous improvement to prepare for the threats posed by the modern world.

You don’t have to lag behind, either. You can make use of some effective techniques to get back on the road to capable incident response. All you need to do is make use of frequent, incremental changes.

So, let’s look at some practical ways you can make the change today.

Preparation and Planning

It takes a fair amount of prep work and planning to make a nimble security team. However, this isn’t something that his handled by just regular workshopping. You need consistent, documented internal and external communication channels. When things hit the fan, there should be clear protocols in place for how you communicate that within your department, alongside letting your stakeholders know. Time is of the essence, and having the prep work done will make it that much easier to triage and remediate issues.

Roles and Responsibilities

Any team member needs a clearly defined role, preferably one that is part of the formal hierarchy for your incident response team. Further, these roles should have concrete responsibilities. I know it’s tempting to have everyone wear multiple hats. However, when time matters, you need concise, actionable roles to speed up the response and get daily operations back on track.

The team leader shouldn’t be handling things like remediation, but rather commanding the whole of the team. Likewise, you don’t want the technical leads struggling to communicate with external departments to alert them of what is happening.

Runbooks

You’ll see this called by many different names. Whether you’re calling it Standard Operating Procedure or Runbooks, it’s immaterial. The basic idea is that you need detailed, step-by-step guides on how to address issues. Runbooks should contain outlined procedures for containment, remediation, and post-incident recovery. Don’t leave things up to chance. Get the right documents in place now, and your team will have a clear path toward success.

Tabletop Exercises

Full-scale simulations of breaches and incidents have a time and place. However, the more practical solution is to conduct tabletop exercises, walking through a hypothetical incident with your key stakeholders. Ideally, this should highlight any shortcomings with your game plan, hammer out communication protocols, and make sure that everyone is on the same page as you get ready to deal with real events.

Detection and Analysis

Threat modeling and detection tools are robust, sophisticated, and more than enough for any security team to respond to threats big and small. That said, you want to take the time ahead of time to start integrating threat intelligence as part of your daily stand-ups. Current threats that are relevant to your organization’s industry are key, and they allow your team to stay up-to-date on how to handle and respond to new types of attacks.

Triage and Prioritization

In the event of an incident, you need clear priorities on what to focus on. The potential impact and urgency of triaging and getting assets back to normal should be based on how critical they are to daily operations. The printer on the ad floor is low priority compared to the likes of your customer data servers or transaction history.

Centralize Log Data

Logs should be consolidated and collated to a central location. From there, teams should be trained to analyze events, identify anomalies, and trace the path of an incident. This leaves less time for scrambling in the now and more time on getting to the task when an incident occurs. Further, when conducting the post-mortem, it gives a clear root cause of what led to the breach happening.

Review Vulnerabilities and Assets

Regular reviews of potential vulnerabilities along the attack surface, as well as a comprehensive inventory of critical assets, are key. Knowing what you have, its strengths, weaknesses, and importance to business operations is fundamental to developing effective incident response protocols. Further, it’s going to help you identify which items take top priority.

Response and Recovery

This goes without saying, but one major, incremental change you can make is to document absolutely everything that happens. When an incident occurs, clear protocols need to be in place for documentation to establish a detailed timeline, the actions taken, and who took them. When it comes to post-incident review, this is an invaluable resource and might be vital if you run afoul of legal and compliance requirements.

Containment Strategies

Your team should regularly practice its containment strategies. Isolating affected systems, blacklisting known bad IP addresses, and other routine tasks should be practiced and honed to a razor’s edge. This helps to prevent the spread of an incident, limiting damage, and making the post-incident recovery process much smoother as a result.

Automation

More tedious tasks can be readily automated. You don’t need to have dedicated personnel for creating support tickets when there is software that ably handles it. Automation of incident tickets, alongside sending notifications in a company-wide communication protocol like Slack, can be a handy way of increasing response time. Automation of more banal tasks keeps your team fresh and ready to handle more complex, demanding tasks as they arise.

Resilience

The perfect plan isn’t made in a day. If anything, you’ll want to take a page from Agile‘s book and focus on iterative phases as you implement plans. Small, consistent improvements are better than grand sweeping gestures. Further, these are likely informed by real-world experience.

Cross-Train Team Members

I’m well aware that I mentioned clearly defined roles, but all team members should be cross-trained in other responsibilities. This eliminates weak links and guarantees that all team members have the skills and knowledge needed to ably respond to incidents as they occur. By cross-training your team, you’re making a far more resilient, capable security department.

Engage Stakeholders

Finally, you’ll want to actively engage your stakeholders. When pulling from the whole of your organization, you want to make sure that everyone understands their role during an incident and can provide the required support needed during a time of crisis. By keeping everyone in the loop, you’re already mitigating the damage done by any single attack.

Other Useful Tools and Concepts

Ready for a bit more? You want to take a look at how you can curtail bigger problems before they start through the use of daily Kaizen. Regularly engaging in process improvement is a surefire way to see marked, positive changes in your processes. Daily Kaizen doesn’t take much time, and can see surprisingly great results in very little time.

Additionally, you might want to review how you can turn executive vision into actionable cybersecurity practices. Putting the abstract into action can be somewhat daunting, but with the right steps and strategies, you can align your security department’s incident response with the long-term organizational goals set by your stakeholders.

Conclusion

Rome wasn’t built in a day, and your cybersecurity posture is going to take time. It isn’t about vast sweeping changes, but rather small, significant actions that compound into a greater whole. Cybersecurity is more important than it’s ever been, and failing to take action could spell disaster for your organization.