< Back to Thought Leadership

The Importance of Incident Response Plans – Detection & Analysis

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

Last month, we introduced the concept and importance of Incident Response Plans as part of overall cybersecurity. As stated previously, The National Institute of Standards and Technology (NIST) has developed a framework all incident response plans should consider, including:

Last month, we discussed the importance of one portion of the Preparation stage and specifically, the Response Plan and Strategies based on the type of incidents (e.g., data breach, ransomware, system crash, etc.). “What are you going to do if X happens”? Some other aspects of the Preparation stage include: Policy, Communication, Documentation, Team, Training, and Tools.

Ransomware Incident Response Plan – Detection & Analysis

This month we are focusing on the next phase of the response plan which is Detection and Analysis. This encompasses having the proper technology, people, and process to detect when incidents occur and then analyzing the criticality of the incident.

  • Technology – used to review large audit files and logs created by your various technology assets and correlate incidents across those technologies
  • People – who are skilled in understanding the criticality of incidents and the proper response action to identified incidents
  • Process – to ensure that all stakeholders are properly involved in the decision processes

Multiple “incidents” occur within your systems daily. Not all incidents are necessarily cybersecurity-related. Other incidents may include a CPU processing interruption, an application that is hung up because something is cached that should be cleared, memory is filling up, etc. However, when security incidents do present themselves, they are typically recorded in a series of system logs either in your firewall, on your servers, in your email system, in your operating systems (server or workstation) from your anti-virus software, or other detection technologies you may have implemented.

The challenge with identifying incidents in these logs manually is you must review reams of output to find a needle in the haystack. What may appear as an innocuous incident from one source (e.g., someone messed up their password on their workstation a couple of times), may in fact be tied to incidents in other logs and indicates a cyberattack.

More organizations are moving to installing detection software known as Security Incident and Event Management (SIEM) tools. They are then establishing a Security Operations center to monitor the SIEM 24 hours a day, 7 days a week. Most companies outsource this activity to third-party organizations that specialize in system and network monitoring. They have expertise using SIEM technologies in correlating incidents across your network and systems and have expertise in filtering out “false positives” and alert you to only those incidents that pose a risk to the confidentiality or availability of your data or systems.

When establishing your detection and analysis capabilities, consider the following elements and include them in your incident response plan.

  • Monitoring all sensitive IT systems and infrastructure elements (firewall, switches, storage area network, etc.)
  • Analyzing events from multiple sources including log files, error messages, and alerts from security tools
  • Identifying an incident by correlating data from multiple sources and reporting it as soon as possible.
  • Notifying Cybersecurity Incident Response Team members and establishing communication with a designated command center (i.e., senior management, IT operations)
  • Documenting everything incident responders are doing as part of the attack—answering the who, what, where, why, and how questions

The next article in the series will discuss the third phase of the incident response plan, Containment and Eradication: how do you keep the incident from spreading to other portions of your network and how do you get rid of it?

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

heart and a jar of money

Unveiling the Dynamics of Donor-Restricted Contributions

By Greg Jackson, CPA, Principal at Blue & Co. Many not-for-profit organizations rely on public support (grants and contributions) to finance their mission. When that public support includes donor-restricted grants and contributions, those restricted amounts must be reported and accounted for in accordance with the related restrictions attached to the funds. When recording a donor-restricted […]

Learn More

How to Manage Clinical Validation Denials

In the past several years, hospitals have continued to feel the impact on revenue from Clinical Validation Denials (CVD). The need for a robust CDI team to capture support for clinical indicators while the patient is still in house is more imperative than ever. The other overwhelming piece for revenue cycle teams to manage is […]

Learn More

Margin Improvement: Optimizing Financial Performance

Ensuring the long-term financial viability of a health system requires constant attention to the operating statement. This involves assessing the current state of your healthcare organization and critically comparing the current condition to industry and/or internal benchmark standards. Ultimately, this assessment assists management implement an ongoing margin improvement process to increase the likelihood of achieving […]

Learn More