Breach best practices: It's time for incident response to grow up

Security breaches are unavoidable, but how do you convince management to spend more on incident response? It's like betting on failure.
Written by Violet Blue, Contributor

Forrester's 2015 "Planning for Failure" shows that breaches are as unavoidable as bad weather, but hits a sour note when it characterizes enterprise organizations as unprepared.

No crystal ball needed: Forrester's report isn't surprising anyone when it proclaims that everyone's been breached, are probably breached right now, or will be breached sometime soon. And, sadly, we're not surprised when the report informs us that most breaches are not even discovered by the breached party.

The whitepaper, prepared in conjunction with Veracode, found that it's mot a matter of if, but when enterprise orgs will suffer a serious cyberattack -- and that 60 percent of enterprises will suffer a breach in 2015.

"Planning" also hits the nail on the head when it shows that fumbling containment and botching the incident response causes more damage than the hacks themselves, costing millions in lost business and opportunity, ruining the organization's reputation, and racking up operational losses.

But the report misses the dart board altogether when it assumes that enterprise organizations are suffering in cleanup because -- the report suggests -- that many orgs don't have an incident response plan in place.

"Planning" tells us, "Incident response is one of the most overlooked areas of information security. It is impossible to prevent every breach, and when they do occur, S&R pros find themselves inadequately prepared to respond."

It's easy to read the report and walk away thinking that every breach is a Sony-style attack, catching tech-challenged Hollywood management by surprise. And it's easy for many to think that even a behemoth like Target (another big breach cited in the report) only had their grandma's tatty old incident response plan in place.

After citing data on an overall lack of increased spending on incident response after a breach, "Planning" seems to find this indicative of enterprise orgs needing to be educated about establishing plans in the first place. "Without a proper plan in place ahead of time," the report said, "it's extremely difficult to contain or stop the incident once detected and preserve appropriate forensic evidence while you help restore IT services."

"Surprisingly, even at those enterprises that have already suffered a breach during the past 12 months, only 24 percent of network security decision-makers report increased spending on their incident response program as a result (...)

To be effective, you need to establish an ongoing incident management program that lets you identify the potential risks so that you can create appropriate response plans, test those plans, and keep them current.

Incident response is one of the most overlooked areas of information security. It is impossible to prevent every breach, and when they do occur, S&R pros find themselves inadequately prepared to respond."

This is all fine -- unless you're one of the many organizations that do have a plan, thank you very much. Which, as it happens, is most enterprise organizations.

Mike Murray has worked in incident response across a wide array of sectors; currently he does cybersecurity and privacy assessment and architecture services for GE Healthcare's global product portfolio.

Murray told ZDNet, it's not that most places don't have incident response plans -- in fact, he's never encountered an organization that didn't have one. He said, "Some are out of date, but they all have IR plans."

So the question we'd have liked Forrester's report to answer, on top of all its bittersweet data about failure, was not "why do they fail to have an IR plan?" -- but instead, "why are their IR plans failing?"

Murray said that in his experience doing incident response, not only does every company have an IR plan, they're also prepared to execute it. But when crisis hits, Murray asked, what bureaucrat or management personnel, or even IT person for that matter, are prepared to truly act in a crisis?

"IT folks are not first responders," Murray said point-blank. "We are not prepared to respond under stress like a firefighter, which is what's necessary. First responders are trained for crisis and disaster, IT people are not."

The damage from Target's breach was blamed on prevention -- but little was said about whether or not having a badass set of first responders would have mitigated the extended dance-remix of damage suffered by everyone touched by the attack.

Blame went to Target's defense perimeters and stayed there, while the poop was rolled uphill. According to the U.S. Senate report on the breach, "Target missed information provided by its anti-intrusion software about the attackers' escape plan, allowing attackers to steal as many as 110 million customer records."

In an unprecedented step, the influential proxy advisor Institutional Shareholder Services (ISS) recommended that shareholders remove seven of the 10 members of Target's board. In its statement to investors, ISS said, "It appears that failure of the committees to ensure appropriate management of these risks set the stage for the data breach, which has resulted in significant losses to the company and its shareholders."

Murray explained that a large amount of the disconnect can be found in the exact central point Forrester makes, that management is caught up in making sure a breach "doesn't happen again" -- and that incident response planning and decision making is dwarfed by the notion of prevention as a cure-all for attacks.

The data backs this up. When asking decision makers how their security spending changed within 12 months following a major breach, additional security and audit requirements topped the list (35 percent), "security and/or privacy are regularly evaluated/discussed" (talking about it) came in second for spending (32 percent), prevention technologies came in third (27 percent) and incident response limped in at fourth place (24 percent).

It's this thinking that makes a 'harm reduction' approach to enterprise security -- accepting that a breach will happen, and staking steps to minimize the damage of the inevitable by spending money on incident response -- a hard sell.

How do you convince management to spend more on incident response? Murray explained to ZDNet, "If you view breach as failure... in market terms, you're essentially gambling on the crash. It's like betting on your own failure."

Forrester's "Planning" rightly focuses its second half on coaching decision makers through implementing an ongoing program for incident response; not simply a fire drill that everyone practices twice a year, but a sort-of living, breathing, evolving program that also involves non-IT staff and crosses departmental divides.

To that effect, the report's last half has excellent advice, which should be supplemented by reading Veracode's tipsheet, 5 Best Practices in Data Breach Incident Response.

After analyzing Forrester's report it's clear that management, decision makers and shareholders need to do their own growing up and stop pretending anyone can promise the next breach won't happen.

But at the same time, it's time for incident response to mature along the same lines -- and push for training that keeps everyone cool and clear-headed when the crisis hits.

Forrester: Incident response whitepaper 2015

Editorial standards