A CISO’s 8 Recommendations for a Security Incident Response Program

Most large organizations have a security incident response (IR) program in place – even if it only exists in a three-ring binder. The challenge for most is to get from its current form into an automated platform that will empower you to respond better, faster and with precision.

In a presentation delivered during Rsam’s 2016 User Conference on September 21, the company’s CISO, Bryan Timmerman, discussed his recommendations for making the lives of security incident responders easier.

For starters, find a security incident response platform (SIRP) that empowers you to create and evolve your program. There is a difference between applications and point solutions versus a platform. A true platform is something you can build upon and manipulate to do things not originally envisioned. It’s very common for requirements to change when developing a program as complex as security incident response. Be sure you’re not boxed into to a rigid system.  Other recommendations include:

  1. Transition the playbook to your platform – One of the most important tasks you’ll face after selecting a SIRP is to transition your processes from paper to platform. Although it’s a time commitment on the front-end, you’ll make up for it and then some on the back-end. For example, you should be able to easily configure dynamic rules to address incident handling requirements and automate appropriate actions.
  2. Integrate with SIEM tools – The art of incident response is closing out the noise and focusing on what’s important. Integrate your SIRP with your SIEM tool so you can consume, and normalize, device and event data from as many sources and possible. You will need to pay more attention to some things than others without wasting time sifting through disparate data sources.
  3. Automate escalation – Based on user-definable criteria, you can set up your platform to automatically escalate events based on things like data type, source, category, and SIEM description.
  4. Allow for a flexible workflow – Make sure you choose a platform that allows you to add or change tools over time without disrupting your processes. Build what you need for today with an eye toward adaption.
  5. Centralize threat and vulnerability data – Establish a central repository in your SIRP of data from sources like threat feeds, vulnerability scans, patch management, asset management and other relevant sources. A centralized repository will reduce errors and time to resolution.
  6. Automate responses – Don’t shy away from the “A” word when it comes to response. Use your platform to create repeatable, measurable and auditable response tasks. Automating responses can reduce the human error factor. Predefine team and individual task assignments that can be automatically generated during an incident.
  7. Prioritize incidents – Your SIRP so let you automatically prioritize incidents based on information provided by SIEMs and/or end users. Along those lines, you should be able to automatically populate dashboard with critical insights so decision makers have information at their fingertips in real time.
  8. Collaborate – Every person working an incident should have a single pane view. Build workflows in your SIRP that support collaboration across the organization. Enable investigators and forensic specialists to share findings.

Whatever platform you choose for security incident response, it shouldn’t dictate or limit how your organization’s natural processes and workflow. There is no such thing as a cookie-cutter solution for IR. Rather, your platform should empower you to use it in a way that makes sense for you.

Learn about Rsam’s security incident response platform here.