fbpx

< Back to Thought Leadership

The Importance of Incident Response Plans – Detection & Analysis

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

Last month, we introduced the concept and importance of Incident Response Plans as part of overall cybersecurity. As stated previously, The National Institute of Standards and Technology (NIST) has developed a framework all incident response plans should consider, including:

  • Preparation
  • Detection & Analysis
  • Containment & Eradication
  • Recovery
  • Post Incident Activity.

Last month, we discussed the importance of one portion of the Preparation stage and specifically, the Response Plan and Strategies based on the type of incidents (e.g., data breach, ransomware, system crash, etc.). “What are you going to do if X happens”? Some other aspects of the Preparation stage include: Policy, Communication, Documentation, Team, Training, and Tools.

Ransomware Incident Response Plan – Detection & Analysis

This month we are focusing on the next phase of the response plan which is Detection and Analysis. This encompasses having the proper technology, people, and process to detect when incidents occur and then analyzing the criticality of the incident.

  • Technology – used to review large audit files and logs created by your various technology assets and correlate incidents across those technologies
  • People – who are skilled in understanding the criticality of incidents and the proper response action to identified incidents
  • Process – to ensure that all stakeholders are properly involved in the decision processes

Multiple “incidents” occur within your systems daily. Not all incidents are necessarily cybersecurity-related. Other incidents may include a CPU processing interruption, an application that is hung up because something is cached that should be cleared, memory is filling up, etc. However, when security incidents do present themselves, they are typically recorded in a series of system logs either in your firewall, on your servers, in your email system, in your operating systems (server or workstation) from your anti-virus software, or other detection technologies you may have implemented.

The challenge with identifying incidents in these logs manually is you must review reams of output to find a needle in the haystack. What may appear as an innocuous incident from one source (e.g., someone messed up their password on their workstation a couple of times), may in fact be tied to incidents in other logs and indicates a cyberattack.

More organizations are moving to installing detection software known as Security Incident and Event Management (SIEM) tools. They are then establishing a Security Operations center to monitor the SIEM 24 hours a day, 7 days a week. Most companies outsource this activity to third-party organizations that specialize in system and network monitoring. They have expertise using SIEM technologies in correlating incidents across your network and systems and have expertise in filtering out “false positives” and alert you to only those incidents that pose a risk to the confidentiality or availability of your data or systems.

When establishing your detection and analysis capabilities, consider the following elements and include them in your incident response plan.

  • Monitoring all sensitive IT systems and infrastructure elements (firewall, switches, storage area network, etc.)
  • Analyzing events from multiple sources including log files, error messages, and alerts from security tools
  • Identifying an incident by correlating data from multiple sources and reporting it as soon as possible.
  • Notifying Cybersecurity Incident Response Team members and establishing communication with a designated command center (i.e., senior management, IT operations)
  • Documenting everything incident responders are doing as part of the attack—answering the who, what, where, why, and how questions

The next article in the series will discuss the third phase of the incident response plan, Containment and Eradication: how do you keep the incident from spreading to other portions of your network and how do you get rid of it?

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

Blue & Co., LLC Announces New Partnership With Vsimple | Vsimple and Blue and Co logo

Blue & Co., LLC Announces New Partnership With Vsimple

CARMEL, Ind. (May 5, 2022) – Blue & Co., LLC is excited to announce our new partnership with Vsimple, a workflow management software company based in New Albany, IN.  Blue & Co and Vsimple will be working closely together to address the workflow and process improvement challenges of manufacturers throughout the Midwest. “At Blue & […]

Learn More
Proposed Rule FY 2023 for Skilled Nursing Facilities

Proposed Rule FY 2023 for Skilled Nursing Facilities

It is that time of year again! The Center for Medicare and Medicaid Services (CMS) has issued the proposed rule that would update Medicare payment policies and rates for the fiscal year (FY) 2023’s Skilled Nursing Facility (SNF) Prospective Payment System (PPS). The Patient Driven Payment Model (PDPM) was implemented on October 1, 2019. This […]

Learn More
Coverage Scheduling Solutions for Physician Practices and Hospital Systems

Scheduling Solutions for Clinician Work-Life Balance

One of the most challenging conversations in any multi-physician practice or specialty-based hospital employed group is about how to create a fair distribution of on-call and/or inpatient hospital service coverage while balancing the duties of an outpatient practice. The COVID-19 pandemic has contributed to clinician burnout, and physicians and Advanced Practice Providers (APPs) place significant […]

Learn More