How To Build An Incident Response Plan

Printer-friendly version Email this CRN article

Businesses often get service-level agreements with managed security services providers (MSSPs) to monitor system logs for threats and maintain detection systems that trigger alerts, but they often lack an incident response plan, said Rob Kraus, director of engineering research team at Solutionary, an NTT Group subsidiary. When an organization seeks outside help to address an immediate threat, it results in expensive incident response costs, Kraus said.

A security incident begins with detection, but also needs capable hands to investigate the extent of the problem and an effective response to reduce the scope of an incident and get systems running normally. An NTT Group study found that 43 percent of its engagements were related to the detection of suspicious activity that turned out to be malware. The company also was called in to mitigate distributed denial-of-service attacks, Kraus said. Its annual study on security threats sheds light on how solution providers can help their clients develop an incident response plan to avoid costly mistakes.

[Related: True Detectives: VARs On The Case As The Need For Incident Response Strategies Gets More Evident Every Day]


The Computer Security Incident Handling Guide, a document created and maintained by The National Institute of Standards and Technology, contains detailed instructions on how to create and build out an effective incident response plan or dust off and update one that is already in place. It provides step-by-step instructions on how to plan for all issues associated with a security incident, from detecting and investigating a potential security breach to establishing media communications procedures and when to contact law enforcement.

The document recommends that companies that don't have knowledgeable IT teams should consider MSSPs. While technical staff members in a business may know the organization's environment better than outside help, MSSPs may be able to correlate events among customers so that they can identify new threats more quickly than any individual customer could, according to the NIST document.


Security appliances need to be properly configured, tuned, updated and maintained regularly to detect threats. The alerts generated from the device need to go to the proper handler. System logs should be reviewed regularly to spot suspicious activity. In many cases, basic monitoring can detect threats, but it needs to be done regularly, said Christopher Porter, a managing principal at Verizon.

"The key with monitoring isn't necessarily investing in technology to detect faster, it is investing in technology or practices to configure these things in a more secure manner," Porter said. "A lot of these attacks are on small and medium businesses; they don't have the expertise in place typically to carry this out effectively themselves."


Investigative controls take the information identified from incident detection and verify whether the organization has the information required to conduct a meaningful response, according to the NTT Group study. The organization needs to first determine if an alert is a false positive, then define the scope of the incident and what systems and data is potentially impacted, Kraus said. The activity requires a skilled professional and the right tools to analyze the incident indicators, he said.


An organization that has the skilled staffing and thorough incident response plan in place can quickly assess and reduce the scope of an incident. Following an initial infection, an attacker will attempt to move laterally through an organization, said Raj Shah, CEO of Morta Security, which was recently acquired by Palo Alto Networks. Shah said that there are stages of an attack that cybercriminals always need to conduct when they seek out and attempt to get into more sensitive systems. The goal of the incident response team is to surround and cut off the attacker to minimize the loss or exposure of data.

NEXT: Test Incident Response Capabilities

Printer-friendly version Email this CRN article