An incident response plan (IRP) is a plan you can use to identify vulnerabilities and detect and respond to security incidents

The purpose of an IRP is to standardize and facilitate effective incident response and minimize damage caused by incidents. In this article, youll learn what are the key considerations when creating an IRP, and what components to include in the plan.

Creating an effective incident response plan requires significant time and effort but can greatly improve the security of your systems and data.

When developing and refining your IRP, make sure to consider the following elements:

Threats are constantly evolving as attackers attempt to find new ways to bypass security measures and infiltrate systems. This evolution requires organizations to consistently and reliably update their IRPs. Below are three ways you can update your current plan to ensure you remain ready for any attack.

Playbooks are documents that fully outline steps to be taken to perform a process. These tools can be created for any process but are particularly helpful for standardizing IRPs. With playbooks, you can design exact response strategies for a wide variety of situations. These playbooks can then be applied by responders when an incident occurs.

Since the playbook fully outlines the actions to be taken, responders are less likely to forget steps or make mistakes due to the stress of responding. Additionally, playbooks enable you to easily pass on information and expertise to any responder. For example, you can provide a playbook that outlines how to disable and redeploy compromised containers. Any team member using the playbooks should be able to perform the procedure competently regardless of their background.

Additionally, you can benefit from experience outside your organization by adopting playbooks written by external experts. These playbooks can help you ensure that you are employing best practices regardless of who is available to serve as part of your incident response team.

You should incorporate threat intelligence feeds into your incident response tooling. Threat intelligence enables you to better correlate events and can improve your detection rates and increase your response effectiveness. Additionally, threat intelligence can help you perform threat hunting for threats that have bypassed your detection tools. Threat hunting is a process in which threats are proactively searched for as opposed to passively identified.

Automation of repetitive or tedious processes can free your security teams to perform more specialized and demanding work. It can provide you with more consistent and continuous monitoring and response. Automation can also enable you to be more proactive in your incident responses, triggering actions as soon as a suspicious event is detected.

When used correctly, automation can help you avoid overlooking alerts and notifications by prioritizing alerts according to predefined thresholds. Automation tools can more quickly process and analyze data and can provide analysts with valuable context for incidents. This enables security analysts to focus their time on the most relevant threats and improves your ability to mitigate damage.

Automation tools can also help you evaluate system vulnerabilities in the preparation stage of your IRP. For example, you can use automated scanners to inventory system components and check for out of date versions. Or, you can use automated penetration testing tools to simulate attacks and verify the functionality of your existing security systems.

Each security incident is unique; even if it shares characteristics with other threats there are some aspects that differ. To account for this, you need to ensure that your detection and response tools can account for these differences. Make sure you include both specific responses in your plan as well as information that can help responders adapt to attack specifics.

One way to accomplish this is to create multiple response levels for each threat type or severity. For example, you can include one response for when ransomware is found that had not yet been activated and another for when ransomware has been triggered and is affecting multiple data stores.

UEBA is a process that uses machine learning to collect and analyze data. UEBA solutions use analyses to develop baselines of normal behavior in a system. Solutions then monitor event data in real-time and compare it to these baselines. When an anomaly is detected, an alert is sent to security teams or automatic responses are triggered.

UEBAs method of baseline comparison allows security teams to detect and address incidents that might otherwise be missed by traditional tools or manual searches. For example, UEBA can detect incidents caused by malicious insiders despite their use of valid credentials. Traditional tools overlook these threats because credentials pass authentication checks. UEBA solutions, however, enable you to dynamically assess system conditions and respond intelligently according to the most recent data.

UEBA is often integrated with System Information and Event Management (SIEM) solutions for greater impact. By combining these tools, you can gain visibility across your systems and respond from a centralized console. This is particularly useful for incident response since it enables teams to respond more quickly and effectively.

The cyber criminals of 2020 use advanced technology and social engineering to hack networks, systems, and devices. They deploy bots, use AI to mimic human patterns and behavior, and trick users into revealing information.

As machines get better at mimicking human behavior and authentic resources, it becomes increasingly difficult to differentiate between normal user behavior and malicious activity. To ensure the continual safety of networks, incident response plans and tooling must be continually updated. Automated playbooks, threat intelligence, UEBA, and response actions can help keep the network secure even during zero-day events and new attack techniques.

Featured image: Skozewiak

View post:
5 Things You Must Add to Your Incident Response Plan in 2020 - TechNative