Our upcoming webinar on June 25th will discuss key concepts and essential components of incident response and incident response planning. You will learn how to develop a customized incident response plan that prioritizes the goals of your organization. Register for the webinar series here.
As a preview, we’ve attempted to answer some of the most asked questions from the webinar registration form that may not be addressed during the hour.
Where does automation fit in?
While a little beyond the focus of the upcoming webinar, automation can be a critical piece of identifying anomalous events and bringing them to the attention of someone who can escalate the incident and begin response. More and more research and tools are available for analysis of data and pattern recognition can be a critical tool in discovering and validating an incident. We will likely have a future training in this topic by our partners at IU’s OMNISOC.
How does the science community differ from commercial enterprise in IR?
The assets we are protecting are often less tangible and harder to measure than enterprise sectors. It’s easy to look at lost IP or lost financial data and assign value or assess risk in terms of $$/fines, but it is hard to say how much science we have lost from an incident causing downtime or loss of data. See our April 2020 webinar on defining operational metrics for more ideas on defining the effectiveness of security and response in science operations.
Does each incident have a risk assessment proportional to that incident and does that indicate the response?
Yes, once the threshold for an incident is reached and an incident is declared, assessing the severity and priority of the incident will directly affect how many resources are devoted to its response. This is one of the chief jobs of your incident response team coordinator or CISO.
What is the best approach to scientific security strategy?
Know your threat landscape. Sometimes industry controls and methods are fine, but we exist in a different arena than most conventional targets. Having information about who might be attacking us and why lets us stay prepared. Being in contact with other organizations similar to yours, sharing threat data, etc, are all good ways to start.
How do we get started?
Start with defining roles within your organization and identify your organizational assets. Determine priorities for protecting those assets and write them down. That is the foundation for your MISPP. Add details on how to add and amend policies, then grab the Trusted CI Incident Response policy and start editing. Make sure you are prioritizing actions that reinforce what you identified as your operational objectives in your MISPP.
Adopt these policies and start educating your people about how they can participate in security and identifying incidents. Test your response plan regularly and test your security controls to make sure you will know about an incident when one happens and can respond promptly.
How to develop culture to support incident response?
Empower your people to spot and identify incidents. Explain the way that incident response ties in to the core mission of your project/org and give them a personal stake in managing it. Include non-security and non-technical people in your security exercises. Our May webinar looked at how leadership can exercise clear thinking in incident response.
Existing resources of shared playbooks?
Overlooked elements of IR planning?
Asset inventory and incident identification. Knowing what you have and if it’s being attacked is critical. You sometimes see reports of incidents that occurred 3 years prior or were ongoing for months, be aware of what is happening in your system and test for failure. Our February 2020 webinar on using security exercises to improve your information security program’s maturity covered more detail on this topic.