Incident Response Readiness: What is it and how to improve it?

Despite unprecedented levels of investments in security tools, organizations continue to struggle with cybersecurity. In fact, a recent study found that 75% of global security professionals say that today’s threat landscape is the most challenging that it was been in the past 5 years. For years, organizations have been investing in prevention and detection, yet according to Gartner, 81% of organizations surveyed stated that they experienced at least 25 cybersecurity incidents in the past 12 months. Recognizing that prevention alone is not enough, resilient organizations are prioritizing Incident Response Readiness to minimize the scope and impact of those inevitable cybersecurity incidents.

What is incident response readiness and who is responsible for it?

If incident response is the battle, incident response readiness is all about readying for battle. Developing and improving incident response readiness improves an organization’s resilience against a cyber-attack. Incident response readiness is not solely at IT problem- everyone in the organization has a role time. From our experience working with hundreds of organizations, Sygnia has seen that the best defenders understand that cyber readiness is not static. Rather, it is a continuum of vigilance with five key stages:

• Know where you stand,
• Prepare for anything,
• Simulate attacks to test and optimize security measures,
• Detect and eliminate threats quickly, and
• Respond swiftly to minimize the business impact of a breach.

KNOW

Start by knowing where your stand today. 

• Understand your business, identify critical assets and crown jewels. Understand what information is stored where, and who has access to it. 
• Understand your threat landscape- which threat are most relevant.
• Understand the applicable regulatory environment for all regions of operation.
• Understand your internal capabilities and available resources

PREPARE

Next, prepare your organization for incident response by creating a cross-functional incident response plan. In developing the organizational incident response plan, consider the roles and responsibilities of your incident response team.  An Incident Response team should consist of more than just IT staff.  Cross-functional Incident Response teams typically include the following functional representatives:

• IT and cybersecurity
• Operational security, if applicable
• Physical security, if applicable
• Data protection
• Legal/risk
• Crisis management
• Human Resources
• Marketing/Communications
• Technical response subject matter experts
• Corporate response subject matter experts. These are information experts who understand impacted data and systems.

Prepare incident response playbooks for each common type of attack and develop a crisis communication plan.  Establish an incident response retainer with a reputable incident response firm, if you do not already have one.

SIMULATE

Simulate attacks to evaluate the effectiveness of your incident response plan and identify opportunities for improvement.  There are four ways to do so:

• Executive tabletop exercises are a good way to prepare business and security leaders, evaluating whether all stakeholders know their roles and responsibilities
• Technical tabletop exercises are good for testing technical decision-making and the escalation process from alters to events to cyber incidents.
• Red Team exercises evaluate your security team’s ability to detect and respond to objective-oriented attacks.
• Purple Team exercises provide your security team practice responding to targeted attacks while simultaneously learning how to improve processes and strengthen detection and response capability.

DETECT

Rapid incident detection and response is crucial to eradicating threats before they can do real damage.  This requires 24/7/365 monitoring with complete visibility across the environment.  The challenge for most organizations is two-fold, having the right systems in place to sort through an overwhelming number of alerts and having the experts in place to analyze the alerts. In response, more and more organizations are outsourcing at least some SOC activities to MDR vendors incident detection and response. MDR vendors provide remote, human-led SOC functionality.   If outsourcing to an MDR, look for a vendor with deep expertise in digital forensics and incident response, who can seamlessly pivot from detection to response.

RESPOND

While no one can no know when the next crisis will occur, the work done to know your business and threat landscape, prepare your incident response plan and test it through simulations, and improve your detection capability has prepared you for that inevitable terrible, horrible, no good, very bad day. Resilient organizations are those who are best prepared for whatever challenge their cyber defenses will face. By approaching incident response readiness as an organizational priority, you will help improve your organization’s cyber readiness and resilience.

To learn more about how to improve your organization’s incident response readiness, read our Executive Guide for Incident Response Readiness.

About Sygnia

Sygnia is the foremost global cyber readiness and response team, applying creative approaches and battle-tested solutions to help organizations improve incident response readiness, beat attackers and stay secure. With a team of deep digital combat and enterprise security specialists, Sygnia enables companies to proactively build cyber resilience and defeat attacks within their networks. At each phase of the security journey, Sygnia delivers the tailored insight, technological acumen, and decisive action needed for their clients to be unstoppable in the face of cyber threats. Sygnia is a trusted advisor and service provider of technology and security teams, executives, and boards of leading organizations worldwide, including Fortune 100 companies. Sygnia is a Temasek company and part of the ISTARI Collective.