Responding to an Incident
Delta Risk Incident Response Services can reduce the damage from security incidents and data breaches, whether malicious or unintentional, and help you be better prepared for future incidents. In the aftermath of an event, the margin of error is razor thin, and your teams need to be able to handle crisis control and communications swiftly and precisely.
Quick remediation can mean the difference between a simple server re-imaging or a major revenue loss that makes headline news. The faster you respond, the better chances you have of limiting the damage.
To better face future incidents, you need to adopt the mindset that an incident is inevitable. Even organizations that have an in-house incident response program often need additional resources to update their documentation and communications, and the capabilities to test their incident response preparedness on a continuous basis.
Delta Risk Incident Response Methodology
Whether you want to minimize the cost and damages from an active incident, or you’re concerned that you’ve been breached and don’t know it, Delta Risk’s incident response team can assist from investigation to crisis management. Our proven, methodical, and evidence-driven approach can help you manage the situation.
Delta Risk Incident Response services reduce the time attackers are on the network by quickly detecting malicious or suspicious activities, identifying root causes, and accelerating containment and eradication of threats.
We can provide technical, advisory, and coaching services related to incident management, throughout the incident response lifecycle, as described in the NIST SP 800-61r2, Computer Security Incident Handling Guide. Our services can supplement your existing incident management, planning, and response capability with technical and procedural expertise, crisis communication, and resource coordination.
Delta Risk Incident Response Services include:
- An initial call to understand your situation
- Identification of key questions and data sources
- The tools and expertise to get started right away
- Daily status updates and recommended actions
- 24x7 support while the incident is ongoing
- A final report of all findings and response efforts
Why Choose Delta Risk
Delta Risk incident responders have deep expertise in incident response skills and technologies including:
- Incident management
- Cloud analytics
- Log and data analytics
- System forensics
- Malware analysis
Our information security professionals can help you at any stage in the incident response lifecycle. We can help you gather requirements for an incident response plan, train your staff on how to execute incident response steps, or bring together different business units (legal and public affairs) together to talk through incident response priorities. We also offer a variety of testing and cyber exercise options – including a simple table top or a full-on functional exercise.
What is a Cyber Security Incident Response Plan (CSIRP) and Why Do You Need One?
If your organization is faced with a data breach or a significant security incident, having a CSIRP can help you answer some critical questions in advance and ensure your team is prepared. Some of the basic questions a CSIRP covers are:
- When an incident occurs, who gets the first call?
- Which stakeholders need to be involved and at what stage?
- What steps would you and your team take to resolve an incident at a technical level?
- Who is on the team?
- Is this team prepared for an incident?
- What type of information does your senior leadership need and how is it being communicated?
Once you have created your CSIRP, there are immediate steps you need to take to keep it actionable, including walking key stakeholders through the CSIRP, and conducting reviews and updates at least once a year.
Differences Between Cyber Security Incidents and Cyber Security Events
It is important to define the differences between a cyber security incident and cyber security event in a CSIRP, especially when you need to clearly communicate to leadership. An event is defined as an observable occurrence of any type, while an incident is classified as damage, degradation, or persistent intent to cause harm. This can include a violation of computer security policy, acceptable use policy, or standard security practices.
Events may be:
- Unsuccessful access attempts
- Poor internal security activities
- Recon attempts (no impact)
- Unauthorized access
- Denial of service
- Improper usage
Tips to Create an Actionable Incident Response Plan
The goal of creating a more actionable response plan is to cut down on confusion and complexity, and to deliver clear directions to incident response teams and stakeholders.
Here are some tips to remember:
- Minimize boiler-plate information
- Don’t put policy into the plan (although the plan should reference policy)
- Use vetted communication scripts
- Make the plan documents easy to document
Incident Response Trends
Response time and success rate remains a struggle for organizations, especially for those organizations that lack a formal incident response plan. According to a survey conducted by the Ponemon Institute, 77 percent of respondents admitted that they do not have a formal CSIRP, while nearly 50 percent stated that their plan is either informal or non-existent. When organizations were able to contain an incident in less than 30 days, the cost of a breach went down by nearly $1 million.