• Poornachander Kola

Security Incident Response - Do you have a plan?

Organizing an effective computer security incident response capability entails critical decisions and actions. The first major deliberation must be to create an organization’s definition of an “incident” so that the scope is clear. The organization must make a decision on the services the incident response team will provide. Incident response plan, policy, and procedure creation is an important part of establishing a team. The plan, policies, and procedures should reflect the team’s interactions with other teams within the organization as well as with outside parties, such as law enforcement, the media, and other incident response organizations.




Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.


Need for Incident Response


Cyber-attacks regularly compromise personal and business data, and it is critical to respond quickly and effectively when security breaches occur. One of the benefits of having an incident response capability is that it supports responding to incidents systematically by following a consistent incident handling methodology and take appropriate actions. Incident response helps to minimize the loss of information and disruption of services caused by incidents. Another benefit of incident response is the ability to use information gained during incident handling to better prepare for handling future incidents and to provide stronger protection for systems and data.

Incident Response Life Cycle - NIST



(From NIST)


1. Preparation


Th Preparation phase will be the central working part of the incident response planning, and the most crucial phase to protect your business.

The response plan should be well written down, thoroughly expounding everyone’s roles and responsibilities. The plan must be evaluated in order to be satisfied that the employees perform as they were trained. The more prepared the employees are, the less the probability of critical mistakes.


2. Detection & Analysis


In the detection phase you determine whether you’ve been breached. An incident can originate from many different areas. Incident detection and analysis would be easy if every indicator were confirmed to be accurate and unfortunately, this is not the case. Intrusion detection systems may produce false positives or incorrect indicators. Each indicator ideally should be evaluated to determine if it is legitimate. Making matters worse, the total number of indicators may be thousands or millions a day. Finding the real security incidents that occurred out of all the indicators can be a daunting task.


3. Containment, Eradication & Recovery


When a breach is first discovered, your initial instinct may be to securely delete everything so you can eliminate and start afresh. However, that will begin to reflect in the long period since destroying valuable evidence can prevent it from happening again. In place of the delete-all-start-afresh process, contain the breach so it doesn’t spread and cause further damage to the business. Disconnect affected devices from the Internet. Devise short-term and long-term containment strategies ready. Make plans for a redundant system back-up to help restore business operations and compromised data lost. In the eradication phase, after containing the issue, the root cause of the breach needs to be eliminated. For example, all malware should be securely removed, systems should again be hardened and patched, and updates should be applied. Recovery is the process of restoring and returning affected systems and devices back into the business environment. During this time, it’s important to get the systems and business operations up without the fear of another breach.


6. Post Incident activity (Lessons Learned)


On completing the investigation, hold an after-action meeting with all Incident Response Team members and discuss what has been learned from the data breach. By analyzing and documenting everything about the breach it can be determined what worked well in the response plan. Lessons learned from both mock and real events will help strengthen the systems against future attacks.




Playbooks & Runbooks


An incident response playbook is a continuous checklist of necessary steps and actions required to respond to specific incident types and threats. Incident Response Playbooks provide a simple step-by-step, top-down approach to orchestration. The playbooks help in establishing a formalized incident response processes and procedures within investigations and to ensure that steps are systematically followed.

An incident response runbook has a series of conditional steps to perform actions, such as data enrichment, threat containment and sending notifications, automatically as part of the incident response or security operations process. This automation helps to accelerate the assessment, investigation and containment of threats to speed up the overall incident response process.

Incident Response Runbooks and Playbooks together provide with flexible techniques for mobilizing even the most complicated security workflows. A combination of Runbooks and Playbooks to document different security processes is used depending on which solution best fits the process or procedure being documented. Multiple Runbooks and Playbooks can be assigned to a single incident, permitting the proper type and level of automation and orchestration to be delivered for each incident type.

Business Continuity vs Incident Response

Incident response could be considered part of the business continuity process with the goals of keeping the business running and minimizing the impact of unforeseen events. Incident management will have the greatest degree of exposure within the company considering what's at stake and the different factors involved, such as individuals, technology, and business processes.

An incident management programme is devoted to accidents and infringements involving networks and devices, software and databases and technology properties relevant to them.

Therefore, most organisations are best served by keeping the response plan for incidents in a stand-alone process – separate from the business continuity plan yet referenced.



(Courtesy: TechTarget)

Making the right choice


Before making a final decision, there is always an amount of research and effort that goes into finding the right combination of toolsets. So if you are currently looking for incident management tools for the organization, then you need to have certain features.

A process that can lead towards a suitable decision should be devised. This process is impacted by the tools that are available to support the decision.

The decision should rely on a solution that is technologically advanced to allow to gain visibility and data.


ServiceNow – Security Incident Response


ServiceNow Security Operations helps organizations connect security and IT teams, respond faster and more efficiently to threats, and get a definitive view of their security posture.

It connects the workflow and systems management capabilities of the Now Platform with security data from leading vendors to give your teams a single platform for response that can be shared between security and IT. With orchestration, automation, and better visibility, teams can respond more efficiently, reducing business risk.


The software leverages the ServiceNow Configuration Management Framework (CMDB) to monitor risks, security events and business facilities and IT network vulnerabilities. This mapping allows for business impact-based prioritisation and risk scoring, ensuring your security teams focus on what is most critical to your business.


Security Incident Response simplifies crucial event detection and includes management and compliance capabilities to facilitate the remediation. To automatically build priority security events, data from your existing security tools or Security Information and Event Manager (SIEM) are imported via APIs or email alerts.


ServiceNow SecOps fills the gaps between SIEM to Compliance & Risk Management, by mapping the whole ITSM eco-system to Risk management.

Incident Response: A Strategy You Can’t Afford to Ignore


Sophisticated and comprehensive cybersecurity is becoming more of a necessity with each passing year. But as our systems advance even further, so do those of attackers.

That’s why it’s critical to follow these strategies in both the creation and continued maintenance of an in-depth IR plan. Doing so is sure to help identify gaps, mitigate damage, and position your business to respond efficiently and effectively.

4 views0 comments
  • LinkedIn Social Icon
  • Twitter
  • Facebook
  • Instagram

©2021 by Kaptius.