The 7 Roadblocks In Creating An IR Plan & How To Overcome Them

 

When a security breach occurs, what is the first thing that a company should do?  Respond of course!!!  But unfortunately today, many businesses do not know how to do this. If they do become a victim, the time to respond is usually much slower, and in the end, usually everything is thrown at it including the kitchen sink. 

So what can be done to avoid this kind of situation?

The one thing to keep in mind is that we, even individuals, are at risk of becoming a victim.  The only thing that we can do here is to mitigate as much as possible that risk of happening from the first place.  But when it comes to responding to a security breach, this is an area that becomes technically known as “Incident Response”. 

But in order to respond properly, a business needs to have what is known as an “Incident Response Plan”, also known as an “IR Plan” for short.

This can be a lengthy document, as it spells out in general terms how an entity should respond.  Now this document does not spell out how to combat each and every security threat, as there are so many of them.  But the crux of this document is how effective communications should take place so that all relevant parties can react accordingly.

But creating such a plan is not an easy task to accomplish, as the Cybersecurity threat landscape has become extremely complex, covert, and stealthy.  So what are the top challenges that organizations face when they try to craft their IR plan?  Here is a sampling:

*The complexities of the Cloud environment, especially when it comes to deployments into the Hybrid Cloud.

*The connection of IoT devices to both On Prem and Cloud infrastructures.

*The emergence of all kinds of mobile devices.

*The complexities of IAM.

*Complete dependence upon SaaS based solutions.

*The lack of modernization of the SOC to keep up with the latest threats.

*Too much dependence on automation, especially in the way of AI and ML tools.

Of course, the list is much longer than this.  But to get on the right path, what can a business do to start creating the right kind of IR plan?  Here are some of my thoughts:

1)     Conduct a Risk Assessment:

It is imperative that you conduct an inventory of both your digital and physical assets, and rank them in terms of their vulnerability, using a quantitative scale.  Then from there, you will know the right controls that will need to be implemented.

2)     Create a Data Map:

Once you have categorized your assets, then the next thing to do is to create what is known as a “Data Map”.  This provides a holistic view of where all of your assets are at, even those that are being used by your employees and contractors.  That way if a security breach occurs, you can get a view of what is being impacted.  Keep in mind that there are many tools that can be used today to create such a map.  Very often in this regard, it is both AI and ML that are used.  If you do not know how to create this map, then have your MSP or MSSP help you with it.  The moral of the story is don’t to a half backwards job doing this, go with it all the way.

3)     Get a view of the Cyber threat landscape:

Once you have completed the last two steps, the next thing you can do for your IR Plan is to get a detailed view of the Cyber threat landscape.  This is where you view where the existing threat variants are at, as well as those potential ones also.  But also keep in mind that while this may sound like a hard task to accomplish, it is really not that bad.  Once again, you can use AI and ML to plot this view for you, but what is most important here is that the data that is used to keep it moving has to be fresh and optimized on a daily schedule.so that your view of the threat landscape is a realistic one.  The bottom line here:  You need to have a picture that is updated on a real time basis.

My Thoughts On This:

An IR Plan is not a hard copy Word based doc.  It is something that is also digital, which is updated on a regular basis, and all key parties have access to it, especially when it comes tin to containing a breach.  But the key thing to remember here is that communication is most critical!!!

In this document, you will be spelling out those responsible people who will be participating in an IR.  It is also important to keep all contact information up to date for all of these people, most importantly cell phone numbers and email addresses.

Finally, once you have crafted your IR Plan, it is not a one and done deal.  It must be rehearsed on a regular basis, preferably at least once a quarter.  And remember, keep this plan updated at all times, with all of the new information and data that your company receives, and as well as those lessons learned from doing all of the rehearsals!!!