Data Loss Prevention Challenges – No. 2 – Security Incident Response Management

It has been interesting to work with a range of clients over the years and understand how organisations implement and integrate their tools into existing processes. It does still surprise me that organisations who have spent heavily on the implementation of specialist tools to track and protect their business from cybersecurity breaches, yet although the tool reports on issues and events, they still end up with an Engineer checking the Event Log on a Weekly (and sometimes less frequently).

In our Offices we implement Fire Alarms that alert us of a fire, and they are usually linked to a monitoring station to alert the Fire Brigade. We implement intruder Alarms that alert the Police. Yet our Cybersecurity Tools we leave unattended, so if there is a breach the intruder is left to do what they wish and leave with their haul.

In many cases our projects have to be extended to add a Response and Notification’ element. Do not underestimate the activities within this module. This is not just adding a connection from your tool to your Incident Management Tool (fairly easy these days as you can send an email with the details of the event to your Incident Management Tool).

The challenge is what happens then! What should the Escalation and Response be?

The key to success is the response – somebody needs to be notified and it will depend on its perceived criticality (you don’t want to keep sending messages to your Security Manager about every Event – they will become ‘numb’ to the events and miss the important one.

Identifying the process and the list of Events that need to be escalated is key at an early stage. Drawing up the Event flow and agreeing only ‘CRITICAL’ incidents are escalated to relevant Managers for action. You need to ask what the process is at 4am if someone caused a serious breach in your Security Tools what would happen and what should the responses be to that Incident. This will be a good litmus test of your Security Response process. Today we include this as a standard review when we help our customers to implement their processes as in many cases the basic tools are already there, they just need to identify what needs to be done and how.

You might also be interested in

Blog

Data Loss Prevention Challenge – No. 7 – Insider Threats

It's amazing how often I speak with clients about their cybersecurity activities, and the focus is nearly always on preventing external threats.

Data Loss Prevention Challenge – No. 6 – Threat Prevention in a sophisticated threat landscape

Addressing an organisation's threat prevention stance for its IT estate is a complex task without a simple answer.

Blog

Data Loss Prevention Challenge – No. 5 – Human Error

There is a saying in IT that if we could remove all users from IT we would not have any Incidents to fix.