Handling Incident Response: Assume The Fetal Position

A Computer Security Incident Response Plan, or CSIRP, is the plan you turn to when the enemy strikes and you realize you’ve been hit. At that point, there’s no time to wonder, “What do we do now?” With a well-conceived, well-rehearsed CSIRP, everyone involved in the plan will know exactly what to do.

Mnet 182651 Multz Lead

Does your Computer Security Incident Response Plan top this?

    1. Update resume
    2. Assume the fetal position

That’s the entire plan, written on a napkin. I received it from one tech expert who attended a talk I gave on incident response. I keep it with me as a constant reminder of the importance of knowing what to do if an organization suffers a breach.

A Computer Security Incident Response Plan, or CSIRP, is the plan you turn to when the enemy strikes and you realize you’ve been hit. At that point, there’s no time to wonder, “What do we do now?” With a well-conceived, well-rehearsed CSIRP, everyone involved in the plan will know exactly what to do.

When you even think that you might have a threat in your network, that’s the time to conduct a thorough investigation. Sixty-six percent of breaches remain undiscovered for months or longer, according to the 2013 Verizon Data Breach Investigation Report. Approximately 70 percent of breaches were discovered by external parties who then notified the victim. One of the best ways to know whether you’ve been breached is to conduct targeted threat hunting by thoroughly searching your IT networks and host computers for evidence of a compromise. Because threats hide so well these days and the malware often changes its own name once it is inside a network, threats are extremely difficult to find. If you cannot find any threats inside your network, and you still think something is not quite right, you may want to work with an incident responder who knows exactly where to look and what to look for in your network. The sooner you get the attackers out of your network, the less time they have to steal your data.

When your network has been compromised, you need to know what to do from start to finish to get the intruders out of your network and keep them out. Which people or what company will you call in case of a possible breach? If your network has been taken offline, what parts of the website need to be up and running first? What messages will you tell employees, customers, shareholders and the media? What team will you call upon to remediate the threat? If a server in one location goes down or is destroyed, what do you do to get that part of the network back up and running? Who are all the people who are going to be on the Computer Security Incident Response Team? What are the roles each team member will play? How will you define the severity of an incident?

A complete CSIRP should answer all these questions and help ensure you comply with legal, regulatory and industry requirements. If you don’t have the skills in house to develop a CSIRP and test it with table top exercises, a security consultant who specializes in Incident Response (IR) can work with you. Your CSIRP should also include information on the professional security team you will contact in the event of a breach. You’ll need an experienced IR team to analyze, contain and remove the threat. Often, companies will try this on their own and will only get part of the malware out, or will leave backdoors open, making it easy for the threat actors to re-enter. The mean number of days to resolve cyber attacks is 32 with an average cost of $32,469 per day, or a total cost of $1,035,769 over the 32-day remediation period, according to the Ponemon 2013 Cost of Cyber Crime Study: United States. An experienced team can cut that time by far. Cost savings when companies employed certified/expert security personnel were more than $2 million. If you have an Incident Response Retainer in place, some companies can be on site within 24 hours to help remediate the breach. 

A full list of actions on creating a CSIRP can be found at http://www.secureworks.com/1/CSIRP-TIPS/, but a short overview follows below:

  1. Develop a Computer Security Incident Response Team consisting of representatives from IT, business and legal.
  2. Create a communication plan to know whom to contact.
  3. Create a list of all likely scenarios that could occur.
  4. Establish a response guide for each scenario.
  5. Decide who on each business team will be responsible for taking what specific actions.
  6. Rehearse each scenario in the plan until you are satisfied with it.

If you’re not rehearsing and updating your CSIRP each year, keep a napkin close by. You may need it to clean up a mess.

Jeff Multz is director of North America Midmarket at Dell SecureWorks. Dell SecureWorks, a global information services security company, helps organizations of all sizes reduce risk, improve regulatory compliance and lower their IT security costs.


To read more manufacturing and technology news, sign up for our newsletterYou can also follow Manufacturing Business Technology on Twitter @MBTwebsite.

More in Operations