To borrow a line from Ghostbusters, “Who you gonna call?”
…When you get hacked or some buggy code shuts down all of your IT/cybersecurity systems?
The CrowdStrike outage was less than two weeks ago.
Were you affected? Who did you call?
Some companies were caught with their pants down and had to scramble to get help.
Other companies were prepared and knew exactly what to do and who was going to do it.
They had an incident response plan (IRP.)
Having a well-defined incident response plan is vital for organizations to effectively manage cybersecurity incidents.
While the CrowdStrike outage wasn’t a cyberattack but software update error, recovery would’ve been accelerated with an IRP.
A formal IRP helps:
- Reduce the impact of incidents on business operations
- Minimize financial losses associated with data breaches
- Comply with regulatory requirements
- Improve the organization’s ability to respond to future incidents through lessons learned from past experiences
According to the National Institute of Standards and Technology (NIST), the incident response process typically consists of four main phases.
1. Phase one: Preparation
- Establish and train the incident response team
- Develop policies and procedures
- Make sure the necessary tools and resources are in place
- Conduct regular risk assessments and update incident response plans to align with evolving threats and technologies
2. Phase two: Detection and Analysis
- Incident response team identifies potential security incidents through monitoring tools and user reports
- Analyze incidents to determine their nature, severity, and impact on the organization
3. Phase three: Containment, Eradication, and Recovery
- Immediate containment actions are taken to prevent further damage
- Isolate affected systems, shut down compromised accounts, and block malicious traffic
- Eradicate the threat, which includes removing malware and securing vulnerabilities
- Restore normal operations, often using backups
4. Phase four: Post-Incident Activity
- Conduct a thorough review of the incident to understand what happened, how it was handled, and what improvements can be made.
- Update the incident response plan based on findings and enhance the organization’s overall security posture
Doing all of this needs an incident response team (IRT), which is typically composed of cybersecurity specialists and may include members from various departments such as IT, legal, and HR.
The team is responsible for executing the incident response plan and ensuring a coordinated approach to managing incidents.
Their roles include incident identification, containment, and communication with stakeholders.
If you need help creating or updating your IRP, or you’d like another set of eyes on it, give us a call.
This is what we do, so we’re happy to help.