Light Dark
May 30, 2017 By Maria Battaglia 4 min read
Incident Response
Risk Management

With business and IT networks growing more complicated — and cyberattacks growing more persistent — organizations need full incident management to manage and mitigate today’s cyberthreats successfully. David Monahan, research director at EMA, and Ted Julian, vice president of product management at IBM Resilient, recently explored the evolution of incident response (IR) in the webinar, “Incident Response: The Shift Towards Full Management.”

The Evolution of Incident Management Tools

Monahan and Julian discussed full incident management, which is a comprehensive approach to IR that ensures all stakeholders, systems and risks are addressed. It also enables teams to make decisions quickly and effectively. We asked Monahan about the shift toward full incident management and how organizations can leverage this strategy to better protect against cyberattacks.

Question: Can you define full incident management and explain the shift toward this strategy?

Monahan: With traditional incident management, we often see a simple process: An analyst gets an alert or ticket generated in a queue. The ticket is opened and triaged and is either resolved or escalated. For many common issues, this works well. But in the event of a serious issue or a breach, a higher level of process and planning is needed. You need people, processes and technologies aligned for all stakeholders across the organization — from security and IT to marketing and legal and others. That’s full incident management.

It requires more detail and thoroughness and is akin to disaster recovery planning. In full incident management, processes and tools are aligned so that simple events are dealt with easily, and hand offs are seamless with technology facilitating the operations. Full incident management really shines during severe incidents. The processes and tools accommodate for the more-demanding operational needs of a significant outage or a breach by including playbooks and automation for workflows, and including alternate path flows more common in the larger issues.

It also facilitates communications and other management responsibilities to address the larger problem that may include organizations like legal, HR [human resources] and law enforcement. With full incident management, your IR processes are more efficient and effective, and comprehensively defend business value.

You have organized and managed SOCs [security operations centers] and NOCs [network operations centers] for organizations — from Fortune 100 companies to local government and small public and private organizations. Do you see any commonalities with the challenges they face?

These organizations obviously have unique challenges — but they also have many similarities as well. First, all these organization types feel pressure from specific stakeholders. They have SLAs [service legal agreements] to uphold. They have demanding customers. They are beholden to regulations.

Second, there are industry-wide challenges they all face. There’s a universal need for better data, automation and tools to support initiatives. And, of course, the skills gap impact impacts everyone. Finally, no matter what drives these organizations, they are all targets for hackers or cybercriminals. They all must be prepared to fend them off — and must have a response plan should a breach occur.

A recent EMA study found that only 1 percent of security professionals would consider their organization to have achieved full incident management. What does it take to be in the 1 percent?

The key to achieving full incident management is commitment. It needs to be made a priority at an organizational level. That’s the cornerstone. More specifically, it is really about increasing the levels of automation and business process alignment between IT, business departments and other resources so that each of their roles fundamentally shifts from reactive to adaptive and dynamic when it comes to breach response.

Day-to-day performance and availability issues are largely managed by automation. This is so the respective teams can focus on optimizing to meet shifting business conditions and thus capture business advantage.

What are the typical organizational resistances in achieving full incident management?

There are three categories of resistance I commonly see: people, tools and data. We’ve all seen the unfortunate “we’ve always done it that way” mentality — or been challenged by politics or turf battles among those who want to control the flow of information. But we’ve also seen that security management can change this culture through leadership and education.

With tools, it’s the technical challenges of integration and automation. This usually comes from difficulties collecting and leveraging the proper business requirements to purchase the correct tools or a lack of investment in achieving the level of integration needed.

With data, the challenges are both strategic and tactical. Many organizations simply struggle to recognize the benefits and, therefore, don’t invest in sharing. Other times, organizations struggle to collect and leverage the correct data — which causes a lack of visibility and context to both identify and solve problems.

What do you see as the major risks or pain points that tip the scales for organizations to invest in improving their incident response program?

If the organization does not take the opportunity to invest in incremental improvements, then sadly, the tipping point is most often an insufficient response to a major cybersecurity incident. It could be an extended outage or a data breach or some other contractual or compliance violation.

What are some best practices you would suggest to someone working to evolve their incident management program?

First, identify who is responsible for maintaining the process documentation — someone who will be dedicated to continually updating and optimizing the program.

Second, understand and document your workflows for the various types of incidents you manage, however your organization classifies them.

Third, assign roles through the creation of AD [active directory]/LDAP [Lightweight Directory Access Protocol] groups and maintain them in an organizational or HR lifecycle, so as people transition during the course of business, the program does not get forgotten and languish.

And of course, review and practice these plans regularly. Leverage table-top exercises and focus especially on realistic scenarios.

Watch the complete on-demand webinar: Incident Response — The Shift Towards Full Management

Maria Battaglia
CMO, IBM Resilient

More from Incident Response
October 6, 2023

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

September 27, 2023

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

August 31, 2023

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature