In this week's webcast Wade Woolwine and Mike Scutt talked about how to prepare for an incident and be ready to respond effectively when one occurs. Breaches are happening all the time. They vary in size and scope, but will end up affecting every organization in one way or another. Incident preparedness leads to more efficient and streamlined incident response. Read on to learn the top takeaways from Wade and Mike's “Security Pro's Guide to Breach Preparedness and Response” webcast:
1. Know Thyself… and Thy Adversary – Understand your goals, your technology and people's capabilities, and the criticality of what you are protecting (assets, users, data). Have a very clear understanding of the likely threats against your environment. Know what tools and processes are already in place, where your gaps are, and take steps to fill those gaps. Be aware of your security architecture's deficiencies so that you know when you'll need specialized equipment. As soon as alarm bells start ringing during a breach, take measures to figure out what you're dealing with. How were you initially compromised? Where is your valuable data? How can the attacker(s) communicate in your environment? Make sure to have a comprehensive understanding of the tools the attacker has deployed, and their capabilities. Know how to get the data to understand where the intruder is in the attacker lifecycle and what actions to take before they can get critical data out of your environment. You should be prepared to prioritize threats, incidents, and remediation to apply the right resources at right time and perform your investigation while getting the best possible evidence from it.
2. Practice, Practice, Practice – There are a lot of intersecting technologies, processes, and people involved in incident preparedness and response. This requires consistent coordination, communication, and practice so that when it comes time to respond, everyone knows how to perform their role, communicate, handle evidence, and how the incident will be managed. Even with a great deal of preparation, things won't be perfect. There will be a huge adrenaline rush, and people will be running around hoping to take action, possibly without even understanding the severity of what you're looking at yet. Stick to practiced routines during a real breach as much as possible to stay grounded. Know who to call to take care of each piece of the response. Make sure to stop every so often to double check that you're following procedure, and that it's fitting your needs. Don't be afraid to step back and recollect yourselves to ensure you're on the right track. The more practice your organization has through your incident preparedness, the easier it will be to fall back on a solid routine in a time of crisis to get through it effectively.
3. Post-Mortems are Paramount – One of the most important steps in incident preparedness and response is the last one: a wrap-up to determine lessons learned. Bring all the people involved together to figure out if everything was coordinated properly and executed according to plan. What went well? Were there any holes in your procedures or execution of plans? Were you able to pivot if things weren't going as expected? Figure out what can be done better in the future, and be ready to apply these learnings for the next incident response. Perform threat exercises incorporating your gained knowledge and adapt policies as needed in the meantime.
Watch the on-demand webcast now for the in-depth view of the 6 Steps to Prepare for Incident Response, and tips for what to do when you're thrown into response mode.