In 2020, digitization has received an enormous boost. In just a few weeks, companies had to learn how to adapt and implement technology so that employees could all work remotely. This required rapid implementation.
When digitization of a company is not carried out adequately, the number of security incidents can also increase. In fact, regardless of how secure technology within a company is, good incident management – or IT incident management – is essential for information security. Planning and setting up a concept for unexpected security incidents is one of the biggest challenges for security professionals. With a comprehensive and effective incident response plan, employees have a foundation for dealing with IT security incidents.
Good incident management is essential.
As with ITIL®, there are also different frameworks in the area of cybersecurity. Such a plan for reacting to an incident is usually a documented, written guideline with several phases. The proper creation and administration of such an incident management plan requires regular updates and training.
The following is a list of possible phases contained in such an incident management plan:
Experience shows that the preparation includes the provision of the necessary incident managment tools and processes. STORM is SOAR software that already has a lot to offer here: It’s a tool that can be individually adapted to your security requirements, while leveraging the know-how of our cybersecurity experts.
Basically, creating an incident response process is based on best practices, just like ITIL®. Important phases are modeled in the tool so that, in the event of an incident, the most important information that an analyst needs to react quickly is captured.
Start by ensuring that employees know their roles and responsibilities in the event of an incident, such as a data breach. In addition, develop scenarios for reacting to security incidents and run through them regularly to evaluate and optimize them. Now, the response plan should be well documented and thoroughly explain the roles and responsibilities of everyone involved. Then, the plan needs to be tested to ensure that your employees are working as they were trained. The better prepared your employees are, the less likely they are to make critical mistakes.
The following questions should be answered:
- Have employees been trained regarding the security policy?
- Have the security policy and the incident response plan been approved by management?
- Does the incident response team know its responsibilities and what notifications are required?
- Have all members of the incident response team participated in trial exercises?
The second phase is to find out whether an incident has occurred. The analysis of existing data from log management systems, IDS/IPS, threat sharing systems, firewall protocols and network activities, e.g. via a SIEM, helps to classify the corresponding events. Once a threat is identified, it should be documented and communicated according to the established policy.
The evaluation process (triage) can be completely mapped in STORM process management. Not all events are incidents. External systems usually report events. The classification as to whether the event is an incident or is a false positive is done by an analyst who performs triage. To use an example from the real world: The front door of a house is open (event). Now, look to see if someone is in the house or something has been stolen (triage). If something was stolen or someone is in the apartment, it becomes an incident.
To help with triage, an additional STORM feature can also quickly search your own ticket inventory for similar patterns. Maybe the IP address is already known? Have such events or incidents already occurred?
As already mentioned, an event can become an incident (true positive). How this is tracked depends on the system. In STORM, the event ticket is closed automatically and a new ticket is created to handle the incident.
With STORM, an analyst can signal security sensitivity levels in the incident ticket via TLP (Traffic Light Protocol) color coding to trigger automatic email notifications. The goal is to communicate information about an incident confidentially to authorized recipients using a visual signal to highlight its importance.
The protocol should communicate both the extent and the impact of the incident and reflect all information in as detailed manner as possible. This information can be used later in the “lessons learned” phase for a detailed review.
In the containment phase, the incident response team must work to contain the threat. The goal is to prevent further damage to other systems: It serves to “lock up” the malware to prevent further spreading. Perhaps, this can be done by shutting down systems or switching off network components.
As this and other work happens, questions arise, such as: How did the virus get in in the first place? What security gaps were there? Often, forensic analyses evaluate the course of events. In STORM, there is a function within a ticket for this purpose called “Create Task.”
The creation of a “task” ticket splits off information that is not interesting for resolving the incident, such as requesting help from a forensic expert, involving the legal department, or informing the marketing department. Relevant information, such as the analysis results of the forensics department, is then fed back into the original incident ticket and any appropriate measures can be taken. This makes it easier to maintain an overview at all times.
Once the potential threat has been contained, it is necessary to find out what the root cause of the incident or problem was in order to eliminate all traces of it.
Once the potential threat has been contained, it is necessary to find out what the root cause of the incident or problem was in order to eliminate all traces of it. This means that all malware should be safely removed; the systems patched; updates applied and software updated, if necessary.
The next step in the recovery phase is to restore systems and devices affected by the incident and return them to the business environment. This is usually done by IT. In this step, the security team releases the systems to IT, so to speak.
The incident response team determines at what point in time operations can be restored and whether infected systems are completely clean. Questions you should ask yourself during the recovery phase, include:
- When can the systems go back into production?
- Have the systems been patched and tested?
- Can the system be restored from a trusted backup?
6. Lessons Learned
Last but not least — the lessons learned. This phase is about checking what went well and what went bad during the incident management process. This includes the handling of the incident, as well as the recognition of the event, e.g. by the SIEM. From this, changes in detection patterns, security measures and/or employee training can be derived.
One key question that arises during the lessons learned phase is “who knew which information when?” This is because security environments often function on a “need to know” basis, and the importance of who had knowledge about the incident, as well as who took action related to the incident, are critical. With STORM, all activities are logged and made available as read-only to those who have appropriate access: This includes all ticket data, such as who has read an article or who has downloaded an attachment. These exclusive STORM features make auditing more accurate and much simpler.
Following an incident, a detailed debriefing of all parties involved in the security incident is recommended. Make sure that you answer the following questions regarding incident management:
- What changes need to be made to security?
- Which weaknesses were exploited?
- How can we ensure that something similar does not happen again?
- Should employees be trained differently?
An OTRS Group study found that 66% of IT managers have seen an increase in security incidents over the past 6 months. As a result, companies must and should increasingly secure their IT environments. STORM SOAR software can be the right tool for facilitating this. Our security experts will work with you to analyze the current status, design the right solution for your IT team and then implement it.