As a cornerstone of your organization’s defense against hackers, malware, human error and a host of other threats, a Computer Security Incident Response Plan (CSIRP) is the map that guides your response to a successful attack. It should define the roles and responsibilities of all respondents, establish authority for making major decisions and define communications flows and notification procedures. Without a CSIRP, your incident response team can waste invaluable time and resources in figuring out what to do—leading to potentially higher costs and greater damage to your organization and your reputation.
The worst time to find out that your CSIRP is flawed is when you are in the middle of an emergency. In helping clients respond to declared incidents, our security experts on our Emergency Response Service teams have been able to observe what works well in a CSIRP and what does not.
Advice for first responders
Keep these dos and don’ts in mind when a security incident is declared.
- Consult and follow your organization’s CSIRP
- Gather incident intelligence from multiple sources
- Ensure the proper people are involved
- Begin taking thorough first responder notes
- Activate one-time-only Incident Responder credentials
- Collect volatile data and pre-determined log files
- Safeguard systems and media for forensic investigation
- Collect network-based logs for future analysis
- Panic or react without a plan
- Discuss the incident with others unless directed
- Shut down, power off or back up affected systems
- Remotely access systems unless necessary
- Use common privileged domain credentials
- Install or execute any software on the systems
- Conduct anti-virus or similar scanning processes
- Attempt to retaliate against perpetrators
While the basic components of a CSIRP are straightforward, crafting an effective plan requires balancing thoroughness and usability. Given the rapidly evolving threat landscape, it is not possible to build a plan that can address every potential attack—nor would you want a document that detailed and complex. Instead, you want to build flexible guidelines that can be quickly and easily applied to any type of incident.
In a future blog, we will dive in a little deeper, to specifics about how to build an effective CSIRP.
If you’d like more information in the meantime, feel free to schedule a consultation with one of our experts.
If you liked this blog, you also might like: Endpoints: The Beginning of Your Defense
IBM's integrated solutions harness security-relevant information from across your organization, and use analytics and automation to provide context and help you detect threats faster, identify vulnerabilities, prioritize risks, perform forensics analysis and automate compliance activities.&nbsp;
Video: Don’t Drown in a Sea of Cyberthreats: Mitigate Attacks with IBM BigFix & QRadar
Security teams can be overwhelmed by a sea of vulnerabilities–without the contextual data to help them focus their efforts on the weaknesses that are most likely to be exploited. Cyberthreats need to be stopped before they cause significant financial and reputation damage to an organization. You need an endpoint security platform that can detect threats, prioritize risks and respond within minutes to shut down an attack or vulnerability that could compromise your endpoints.IBM BigFix seamlessly integrates with IBM QRadar to provide closed loop vulnerability management, accelerating risk prioritization and incident response to mitigate potential attacks giving you an integrated threat protection system to keep your endpoints and data secure.For more information, please visit http://ibm.co/1oSThIF
Infographic: A survey of the cyber security landscape
Understand the threat landscape to improve your security posture. There’s very little that cyber criminals can do today that’s truly new—and yet, 2015 was filled with serious incidents across the entire industry. View our 2016 Cyber Security Intelligence infographic to learn more, and determine what you can do to improve your security posture.
Video: Endpoint Management with IBM BigFix
Discover, manage and control your endpoints–in real time. With IBM BigFix, you can find and fix problems in minutes with real-time visibility and control into all your endpoints. Our single-console, single-agent, single-server architecture helps reduce the cost, risk and effort of managing virtually any mix of endpoints—so you can focus on higher value projects for increased productivity.To learn more about IBM BigFix, please visit http://ibm.co/1Ok4bBs
Video: IBM MaaS360 Enterprise Mobility Management
IBM MaaS360 has massively redefined mobile security and productivity for enterprise management. Identity and access, malware protection and a containerized environment that feels native await inside your free 30 day trial. Start managing iOS, Android and Windows phones and tablets today https://ibm.biz/Bd4a8g
Study: 2016 Cost of Data Breach Study: Global Analysis
IBM and Ponemon Institute released the 2016 Cost of Data Breach Study: Global Analysis. According to this research, the average total cost of a data breach for the 383 companies participating in this research increased from $3.79 to $4 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158 in this year’s study.Read the complete report to learn more.
White Paper: Rewriting the rules of patch management with IBM BigFix
Learn how IBM BigFix combines the separate pieces of the patch management puzzle into an intelligent simplified solution.