3 Best Practices for Incident Categorization to Support Key Performance Indicators

The DNA sequence for each human is 99.5% similar to any other human. Yet when it comes to incident response and the manner in which individual analysts may interpret the details of a given scenario, our near-total similarity seems to all but vanish. Where one analyst might characterize an incident as the result of a successful social engineering attack, another may instead identify it as a generic malware infection. Similarly, a service outage may be labeled as a denial of service by some, while others will choose to attribute the root cause to an improper procedure carried out by a systems administrator. Root cause and impact, or incident outcome, are just a couple of the many considerations that, unless properly accounted for in a case management process, will otherwise play havoc on a security team’s reporting metrics.

Poor Key Performance Indicators can blind decision makers

What is the impact of poor KPI’s? All too often the end result leads to equally poor strategic decisions. Money and effort may be assigned to the wrong measures, for example into more ineffective prevention controls instead of improved response capability. In a worst case scenario, poor KPI’s can blind decision makers to the most pertinent security issues of their enterprise, and the necessary funding for additional security may be withheld altogether.

Three best practices are required to address this all too common problem of attaining accurate reporting:

  1. A coherent incident management process is necessary in order to properly categorize incident activity. Its definitions must be clear, taking into account outliers, clarifying how root causes and impacts are to be tracked, and providing a workflow to assist analysts in accurately and consistently determining incident categorization.
  2. The process must be enforced to guarantee uniform results in support of coherent KPI’s. Training, quality assurance, and reinforcement are all necessary to ensure total stakeholder buy-in.
  3.  Security teams must have the technologies to support effective incident response and proper categorization of incidents.

There are several ways that the IncMan platform supports the three best practices:

First, IncMan provides a platform to act as the foundation for an incident management program. It provides customizable incident forms allowing for complete tailoring to an organization and the details it must collect in support of its unique reporting requirements. Custom fields specific to distinct incident types allow for detailed data collection and categorization. These custom fields can be coupled with common attributes to track specific data, thereby providing a high level of flexibility for security teams in maintaining absolute reporting consistency across the team’s individual members.

Next, playbooks can be associated with specific incident types, providing step-by-step instructions for specialized incident response activities. Playbooks enforce consistency and can further reinforce reporting requirements. However, playbooks are not completely static, and while they certainly provide structure, IncMan’s playbooks also offer the ability to improvise, add, remove or substitute actions on the fly.

The platform’s Knowledge Base offers a repository for reference material to further supplement playbook instructions. Information collection requirements defined within playbook steps can be linked to Knowledge Base references, arming analysts with added information, for example with standard operating procedures pertaining to individual enterprise security tools, or checklists for applicable industry reporting requirements.

IncMan also includes Automated Responder Knowledge (ARK), a machine learning driven approach that learns from past incidents and the response to them, to suggest suitable playbooks for new or related incident types. This is not only useful for helping to identify specific campaigns and otherwise connected incident activity but can also highlight historical cases that can serve as examples for new or novice analysts.

Finally, the platform’s API and KPI export capabilities enable the extraction of raw incident data, allowing for data mining of valuable reporting information using external analytics tools. This information can then be used to paint a much clearer picture of an enterprise’s security posture and allow for fully-informed strategic decision-making.

Collectively, the IncMan features detailed above empower an organization with the means to support consistency in incident categorization, response, and reporting. For more information, please visit us at https://www.dflabs.com

A Weekend in Incident Response #11: Protecting Trade Secrets and Personal Information Through Cyber Incident Response Plans

Protecting customer data and intellectual property are among the top priorities for government agencies, as well as corporations across many different industries, such as healthcare, finance, entertainment, and insurance, to name a few. The main goal of data breaches – which are extremely common in our digital world – is stealing confidential customer information or valuable intellectual property. Banks, hospitals, insurance companies, along with government institutions, are often the target of cyber crimes involving fraud and intellectual property theft. Considering that these types of breaches – which are not always avoidable or preventable – can have wide-ranging consequences for every organization. They must take a broad set of precautionary measures in order to minimize the damage and recover as soon as possible. Among those measures is devising incident response plans, as well as adopting a platform that can keep cybersecurity incidents under control, by helping you determine what type of cyber attack your organization is under, how you should prioritize your response, and what you can do to contain the damage.

Fast Incident Triage

If an organization uses a cybersecurity platform with robust incident response capabilities, the organization’s leadership can have peace of mind that even if they get attacked, they will be able to solve the incident as quickly and as efficiently as possible.

One of the key elements to an effective incident response is incident triage. Organizations should acquire a cybersecurity platform that offers this feature, which is essential for improving its CSIRT’s efficiency. Incident triage is important because it allows your team to quickly analyze what happened and determine what actions they need to take first, enabling a continuation of the operations within the organization and containment of the damage.

Case Management

Once a data breach is detected, and the incident triage process is completed, some of the next steps involve managing the impact and preparing for potential litigation, which organizations often face when they’ve experienced a data breach. To that end, corporations and government agencies should use a platform that provides litigation support, which covers several aspects, such as customizable reports needed for material disclosures, as well as the preservation of evidence and chain-of-custody tracking to preserve all artifacts and record all activities. Allowing a proper investigation that could help your organization avoid crippling potential legal liabilities.

In conclusion – the mentioned features are crucial for protecting customer data and trade secrets in the era of data breaches. Organizations can easily take advantage of extra robust feature functionality by obtaining a cybersecurity platform that incorporates all those capabilities necessary for a complete solution that meets and exceeds your requirements.

A Weekend in Incident Response #6: Improving Digital Skills of Police Forces Should Be a Top Priority for Governments

With cyber-crime on the rise globally, it’s clear that law enforcement agencies around the world need to raise their level of cyber-security preparedness so that they can respond to this growing threat accordingly. But, it seems that improving their own digital skills has turned out to be a tough challenge for some police forces.

A recent report by England-based Her Majesty’s Inspectorate of Constabulary (HMIC) shows that the police officers in England and Wales are having trouble coping with the increased amount and complexity of cases involving cyber-crime.

Digital Forensic Capabilities Must Be Improved

The report finds that several police forces in England and Wales show a severe lack of digital skills that are needed to solve modern crimes. Specifically, investigators have proven to be insufficiently prepared to gather and process digital evidence, which is one of the crucial aspects of cyber crimes.

Another challenge that is underscored in the report is the fact that police forces are having difficulties understanding how different IT systems work, and how they can retrieve and share data between different systems.

Automated Case Management is One of the Solutions

Considering the significant gap in digital skills among police officers that the report notes, it’s clear that law enforcement agencies could use a tool that can help them overcome these challenges.

There are solutions that can be employed to make investigations into cyber incidents more efficient and help alleviate the problem of not being able to retrieve and process digital evidence properly. There are platforms that can track digital evidence and entire investigative processes automatically, helping to accelerate the investigation into a cyber incident.

A platform that is capable of gathering and managing information during cyber forensics processes, can make police forces much more efficient and prepare them for the challenges that are an inseparable part of modern crimes.

In order to be able to solve cyber crimes, police forces need to employ platforms that provide integrated support for cyber forensic tools, in addition to an integrated knowledge base access, as solutions that can help offset investigators’ lack of digital skills.