Preparation is Essential

Effectively mitigating cyberthreats and developing an appropriate response plan requires much more than simply putting the right technology in place. Without fully understanding the business environment and designing and testing a solid incident response plan, agencies are much more likely to experience far-reaching and damaging breaches.

Unfortunately, this problem isn’t uncommon. According to a report from the SANS Institute, the primary impediments to effective incident response include a shortage of staffing and skills, lack of procedural reviews and practice, inadequate visibility into events happening across different systems or domains, and lack of comprehensive automated tools.

“To be effective with incident response, you need to think of it as a program, not just a set of tools,” says Tony Cole, Vice President and Global Government CTO at FireEye, a leading provider of real-time, dynamic threat protection. “That means knowing what are the crown jewels of the agency, understanding the agency’s risk tolerance, and developing and testing a comprehensive plan for incident response.”

Agencies that do have an incident response plan in place have often had their security teams develop the plan without adequate input from business stakeholders. Without that input, the plan may not fully address the issues, applications and data that are important to the agency’s goals and leadership.

Processes, Priorities and Tools

Traditionally, much of an organization’s security budget has been spent on tools to detect cyberbreaches, with considerably less emphasis on incident response. That’s a mistake, says Cole. Without adequate incident response, agencies are at risk for the same or worse cyberevents occurring in the future.

A major part of any incident response plan must involve processes and priorities. The plan must also specify technology that can not only detect breaches, but also resolve them and prevent them from reoccurring. Many agencies are already using too many different tools. According to research from Hewlett Packard Enterprise, the average organization is using 63 different technology products. Developing an effective incident response strategy requires pinpointing requirements and winnowing the list of tools down to those that can provide the intelligence and analytics required to combat today’s cyberthreats.

A report from FireEye finds that many organizations still use signature-based tools, which can’t keep up with the speed at which attacks are evolving. Many tools provide alerts, but don’t allow security personnel to revisit incidents to see what occurred. For incident response, it’s best to choose tools that can generate alerts and provide the context necessary to fully resolve problems.

FireEye’s network forensics, host forensics and log forensic tools, for example, not only generate alerts, but help security personnel go back to examine the entire series of events that led up to the breach. These tools also recommend actions to not only remediate the issues, but prevent them from occurring again.

As adversaries continue to create more sophisticated methods for compromising networks and agencies continue to push the boundaries of security with innovative technologies around mobility, the cloud and the Internet of Things (IoT), a solid incident response strategy will become even more important. The best way for agencies to prepare for the inevitable is to have a solid, living, changeable incident response plan along with technologies capable of adapting to the changing threat landscape.