fbpx

< Back to Thought Leadership

The Importance of Incident Response Plans – Detection & Analysis

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

Last month, we introduced the concept and importance of Incident Response Plans as part of overall cybersecurity. As stated previously, The National Institute of Standards and Technology (NIST) has developed a framework all incident response plans should consider, including:

Last month, we discussed the importance of one portion of the Preparation stage and specifically, the Response Plan and Strategies based on the type of incidents (e.g., data breach, ransomware, system crash, etc.). “What are you going to do if X happens”? Some other aspects of the Preparation stage include: Policy, Communication, Documentation, Team, Training, and Tools.

Ransomware Incident Response Plan – Detection & Analysis

This month we are focusing on the next phase of the response plan which is Detection and Analysis. This encompasses having the proper technology, people, and process to detect when incidents occur and then analyzing the criticality of the incident.

  • Technology – used to review large audit files and logs created by your various technology assets and correlate incidents across those technologies
  • People – who are skilled in understanding the criticality of incidents and the proper response action to identified incidents
  • Process – to ensure that all stakeholders are properly involved in the decision processes

Multiple “incidents” occur within your systems daily. Not all incidents are necessarily cybersecurity-related. Other incidents may include a CPU processing interruption, an application that is hung up because something is cached that should be cleared, memory is filling up, etc. However, when security incidents do present themselves, they are typically recorded in a series of system logs either in your firewall, on your servers, in your email system, in your operating systems (server or workstation) from your anti-virus software, or other detection technologies you may have implemented.

The challenge with identifying incidents in these logs manually is you must review reams of output to find a needle in the haystack. What may appear as an innocuous incident from one source (e.g., someone messed up their password on their workstation a couple of times), may in fact be tied to incidents in other logs and indicates a cyberattack.

More organizations are moving to installing detection software known as Security Incident and Event Management (SIEM) tools. They are then establishing a Security Operations center to monitor the SIEM 24 hours a day, 7 days a week. Most companies outsource this activity to third-party organizations that specialize in system and network monitoring. They have expertise using SIEM technologies in correlating incidents across your network and systems and have expertise in filtering out “false positives” and alert you to only those incidents that pose a risk to the confidentiality or availability of your data or systems.

When establishing your detection and analysis capabilities, consider the following elements and include them in your incident response plan.

  • Monitoring all sensitive IT systems and infrastructure elements (firewall, switches, storage area network, etc.)
  • Analyzing events from multiple sources including log files, error messages, and alerts from security tools
  • Identifying an incident by correlating data from multiple sources and reporting it as soon as possible.
  • Notifying Cybersecurity Incident Response Team members and establishing communication with a designated command center (i.e., senior management, IT operations)
  • Documenting everything incident responders are doing as part of the attack—answering the who, what, where, why, and how questions

The next article in the series will discuss the third phase of the incident response plan, Containment and Eradication: how do you keep the incident from spreading to other portions of your network and how do you get rid of it?

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

overhead and standard costs

Monitoring Your Costs: A Guide to Overhead and Standard Costs

By Nancy Orben, CPA, Senior Manager at Blue & Co. Manufacturers typically incorporate overhead and labor costs into their bill of materials, regardless of the costing system used. It’s crucial […]

Learn More
golden 15 candles on a confetti background | Blue Named One of Indiana’s Best Places to Work for 15th Year

Blue Named One of Indiana’s Best Places to Work for 15th Year

CARMEL, Ind. (March 11, 2024) – Blue & Co., LLC is honored to be named among the Best Places to Work in Indiana by the Indiana Chamber of Commerce. This […]

Learn More
How not-for-profits can make use of artificial intelligence

Empowering Change: How Not-For-Profits Can Make Use of Artificial Intelligence

By Chad Nieter, Senior Manager at Blue & Co. Artificial intelligence (AI) is technology that enables computers and digital devices to learn, read, write, talk, see, create, play, analyze, make […]

Learn More