Incident response

What is incident response?

Incident response is a documented, formalized set of policies and procedures for incident management across cyber attacks, security breaches and other types of IT or security incidents. When a security event or suspicious activity is detected, either by an IT operator or by your IT organization’s intrusion detection software or SIEM tool, an effective response can help protect valuable data assets, limit damage to internal systems and reduce the overall cost and impact of the security breach.

Why incident response is important

In the context of an enterprise IT organization, incident response tasks are usually conducted and managed by a computer security incident response team (CSIRT). These groups may contain security analysts, IT operators, IT managers and C-level executives that work together to establish an effective incident response plan (IRP) and execute it when a security incident is detected.

A well-documented incident response process helps IT organizations move from a reactive to a proactive stance, with clear protocols for detecting, mitigating and eliminating security threats during incident handling. IT organizations should continually improve their incident response planning and processes to account for new threat intelligence and enhance their security posture against future incidents.

Cyber security is an issue of significant importance for businesses and organizations that increasingly deploy critical applications and IT infrastructure in hybrid cloud environments. While modern methods of computing are both efficient and cost-effective, increasingly disparate cloud-based infrastructure may expose security vulnerabilities that become attack vectors for cyber attacks. A complete incident response strategy is necessary to respond effectively to the range of security incidents that can be detected in these environments.

From a cyber security perspective, the proliferation of big data has made financially motivated cyber attackers keener on trying to steal data from businesses.

With security incidents and data breaches on the rise, most enterprise organizations have invested heavily in IT security to shore up its defenses. In turn, cyber attackers have started to go after small and medium-sized businesses that may have weaker countermeasures and incident response processes in place to deal with cyber attacks.

While some security incidents or cyber attacks can be prevented or mitigated outright, IT organizations must have the proper incident response processes in place to deal with cyber security threats in a timely way and prevent the massive financial and legal repercussions that can accompany a data breach.

What is an incident response team?

A computer security incident response team (CSIRT) is a working group of IT professionals responsible for incident handling and incident management across an organization. CSIRT teams are multi-disciplinary and cross-functional – they contain members from different areas of IT and the business who provide different perspectives and complementary skill sets. The most important responsibilities of CSIRT teams include:

• Establishing, maintaining and continually improving a documented incident response plan
• Investigating security incidents
• Conducting forensic analysis of past security incidents
• Facilitating internal communications between the IT organization and users in regard to current, ongoing and resolved incidents through a structured communication plan
• Communicating with other stakeholders about the results of incidents, liaising with threat intelligence organizations, shareholders, customers, media, government, etc.
• Mitigating incidents and managing incident recovery
• Reviewing results and recommending new policies, processes, technology, training or roles to improve the IT organization’s security posture against future incidents

Six phases of incident response planning

Many IT organizations carry out incident response planning according to a six-phase process described by the SANS Institute, an organization that specializes in providing computer security training and certifications. The six phases can be understood as follows:

1. Preparation – Ensuring that users, IT staff and members of the CSIRT are ready to handle any potential incidents that could arise
2. Identification – Establishing criteria for determining whether a security event qualifies as an IT or security incident
3. Containment – Processes for limiting the damage caused by a security incident, including quarantine of the affected systems and infrastructure components
4. Eradication – Processes for determining the origin or root cause of the incident and removing the affected systems from the live environment
5. Recovery – Removing the threat from affected systems and deploying those systems back into the live environment when it is verified that no threat remains
6. Lessons learned – Capturing data from the process to learn more about the incident and improve future response through modifications to the IRP

Incident response plans also typically contain a defined breach notification process that establishes how the CSIRT will communicate to users, customers and other stakeholders about a breach. There should also be provisions for testing the system, including running drills and simulations to ensure that members of the CSIRT can function effectively in their roles when a genuine incident occurs.

Incident response vs. disaster recovery

When it comes to cyber security issues, there are events, incidents and disasters. An event is anything that happened – it might be an incident or it might not. An incident means that a security threat was detected and needs to be investigated, while a disaster means that a threat was detected and the threat damaged business continuity.

This distinction explains the difference between incident response and disaster recovery. Incident response is a coordinated plan for responding to incidents with the goal of mitigating damage and reducing costs. Disaster recovery is all about getting the business back online after an unplanned interruption caused by a security incident.

Sumo Logic delivers automated incident response functionality

Sumo Logic is the ultimate tool for CSIRT teams, empowering security analysts and operators with log file aggregation that gives ultimate insight and transparency into network events and security incidents. In addition to customer alerts, benchmarking and an automated ticket system for capturing incident reports, Sumo Logic offers enhanced threat detection with machine learning, integrated threat intelligence and automated incident response capabilities.