Contain and learn. Shoot for NEVER. EVER. Plan for whenever. SteelToad’s clients manage security incidents utilizing our strategies outlined below.
Preparation
Develop Incident response methodologies typically emphasize preparation—not only establishing an incident response capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring that systems, networks, and applications are sufficiently secure.
Identify and Prioritize Functions
Incidents can occur in many ways, so it is not feasible to develop step-by-step instructions for handling every incident. The organization should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors. Different types of incidents merit different response strategies, however responsibilities should be assigned, communications channels should be clear and key contacts should be identified to manage all incidents.
Containment Strategy
Containment is important before an incident overwhelms resources or increases damage. Most incidents require containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential part of containment is decision-making (e.g., shut down a system, disconnect it from a network, disable certain functions). Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident. SteelToad Consulting will evaluate acceptable risks in dealing with incidents and develop strategies accordingly.
Post Incident Lessons Learned
Two of the most important parts of Incident Response Management are also the most often omitted: learning and improving. Each incident response team will evolve as they learn new threats, improved technology, and lessons learned. Holding a “lessons learned” meeting with all involved parties after a major incident, and optionally periodically after lesser incidents as resources permit, can be extremely helpful in improving security measures and the incident handling process itself.. The meeting should be held within several days of the end of the incident.
Strong security incident management is essential and must be defined and managed for the organization’s complete IT infrastructure.
