Five Considerations for Building an Effective Incident Response Framework

Although news headlines are consistently reporting that cyber threats are evolving into more targeted, sophisticated attacks, it may come as a surprise to some organizations that 75 percent of the security breaches that occur are opportunistic. According to a recent Verizon data breach report, these attacks are not targeted at any specific individual or organization.

For organizations that fall victim to a security breach, there tends to be a large focus on reducing the breach buzz to repair earned reputation and rebuild customer trust. For IT teams within the company, this means the noise and buzz must be reduced by cutting down on the time and resources it takes to repair the network.

Building an effective incident response program is essential for organizations because it enables them to not only contain a single incident, but it also helps to start modeling the techniques of an attack. Incident response stems from an approach that detects and enumerates the steps taken by an attacker to compromise a system. This information is used by the incident response team, which drives future incident response activities.

In this slideshow, AlienVault, provider of Unified Security Management™ solutions and crowd-sourced threat intelligence, offers five considerations for building an effective framework for incident response in order to remediate the threat.

Click through for five considerations for building an effective framework for incident response, as identified by AlienVault.

Prevent, detect, investigate and respond

A traditional incident response cycle has four steps to remove the attackers’ advantage: prevent, detect, investigate and respond. Having a framework in place ahead of an incident will help streamline this cycle. This will allow companies to spend less time learning about the threat and more time overcoming it.

Eliminate the noise

Organizations need to determine where the rogue hosts are located. A rogue host can be one that is not compliant with standard controls, not authorized to connect to the network, infected with low-impact malware or network worms, one with unauthorized or inappropriate software, or a host where antivirus has detected a known bad actor but could not remove it.

Modify security controls

In the event of a broken policy, organizations may receive an alert that requires the security controls to be modified. Additionally, firewall rule sets may need to be tightened or AV and IDS signatures may require an update. In any case, security monitoring should be used to align policy intention with policy enforcement.

Reconfigure

In the event of a network outage, organizations need to understand that some alerts get fired due to misconfigurations or honest mistakes as opposed to intentional abuse. Additionally, the noisy traffic that you are viewing from your Web server might have more to do with the latest change by your system administrator rather than from something nefarious.

Respond rapidly to incident

If a breach occurs, you should know that not every incident will result in a threat, but for those that do, it is crucial to rapidly determine the who, what, where, why and how behind the threat. Dynamic threat intelligence, as well as specific guidance on how to mitigate each threat, is required for an organization’s incident response program to be successful.