< Back to Thought Leadership

The Importance of Incident Response Plans – Detection & Analysis

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

Last month, we introduced the concept and importance of Incident Response Plans as part of overall cybersecurity. As stated previously, The National Institute of Standards and Technology (NIST) has developed a framework all incident response plans should consider, including:

Last month, we discussed the importance of one portion of the Preparation stage and specifically, the Response Plan and Strategies based on the type of incidents (e.g., data breach, ransomware, system crash, etc.). “What are you going to do if X happens”? Some other aspects of the Preparation stage include: Policy, Communication, Documentation, Team, Training, and Tools.

Ransomware Incident Response Plan – Detection & Analysis

This month we are focusing on the next phase of the response plan which is Detection and Analysis. This encompasses having the proper technology, people, and process to detect when incidents occur and then analyzing the criticality of the incident.

  • Technology – used to review large audit files and logs created by your various technology assets and correlate incidents across those technologies
  • People – who are skilled in understanding the criticality of incidents and the proper response action to identified incidents
  • Process – to ensure that all stakeholders are properly involved in the decision processes

Multiple “incidents” occur within your systems daily. Not all incidents are necessarily cybersecurity-related. Other incidents may include a CPU processing interruption, an application that is hung up because something is cached that should be cleared, memory is filling up, etc. However, when security incidents do present themselves, they are typically recorded in a series of system logs either in your firewall, on your servers, in your email system, in your operating systems (server or workstation) from your anti-virus software, or other detection technologies you may have implemented.

The challenge with identifying incidents in these logs manually is you must review reams of output to find a needle in the haystack. What may appear as an innocuous incident from one source (e.g., someone messed up their password on their workstation a couple of times), may in fact be tied to incidents in other logs and indicates a cyberattack.

More organizations are moving to installing detection software known as Security Incident and Event Management (SIEM) tools. They are then establishing a Security Operations center to monitor the SIEM 24 hours a day, 7 days a week. Most companies outsource this activity to third-party organizations that specialize in system and network monitoring. They have expertise using SIEM technologies in correlating incidents across your network and systems and have expertise in filtering out “false positives” and alert you to only those incidents that pose a risk to the confidentiality or availability of your data or systems.

When establishing your detection and analysis capabilities, consider the following elements and include them in your incident response plan.

  • Monitoring all sensitive IT systems and infrastructure elements (firewall, switches, storage area network, etc.)
  • Analyzing events from multiple sources including log files, error messages, and alerts from security tools
  • Identifying an incident by correlating data from multiple sources and reporting it as soon as possible.
  • Notifying Cybersecurity Incident Response Team members and establishing communication with a designated command center (i.e., senior management, IT operations)
  • Documenting everything incident responders are doing as part of the attack—answering the who, what, where, why, and how questions

The next article in the series will discuss the third phase of the incident response plan, Containment and Eradication: how do you keep the incident from spreading to other portions of your network and how do you get rid of it?

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

2023 E/M Coding Changes You Need to Know from the Physician Fee Schedule Final Ruling

New rules for reporting evaluation and management (E/M) services in most places of service took effect January 1, 2023. The coding and documentation revisions, adopted by the American Medical Association’s CPT Editorial Panel and approved by the Centers for Medicare and Medicaid Services (CMS), substantially simplify code selection and documentation. Effective January 1st, E/M services […]

Learn More

Consolidated Appropriations Act of 2023 Changes Impacting Rural Health Clinics

The Consolidated Appropriations Act of 2023, also known as the “Omnibus” package, was signed into law by President Biden on December 29, 2022. Rural Health Clinics (RHCs) need to be aware of some of the changes that will impact them including new grant opportunities and behavioral health provisions. Opportunities for Rural Health Clinics from the […]

Learn More
someone handing car keys to another person personal use of auto

The Importance of Personal vs. Business Use of Auto

By Pam Swartout, Manager and Jacoby Shade, Staff Accountant at Blue & Co. Many business owners provide a company vehicle to their employees as part of their employment. This is a company benefit that has tax implications and is extremely important for both the employer and employee to understand these implications. Employers can deduct only […]

Learn More