An organization might spend hundreds of thousands of dollars to implement just one security infrastructure. Millions of dollars can be spent creating a security environment that provides an extensive defense against all nature of attacks and threats. But the true value of that substantial investment can never be realized until one relatively low-cost â€“ but critically important â€“ item is addressed: Incident Response Leadership (IRL).
Incident Response Leadership is the primary task of the management of incident response teams. IRL begins with the creation of incident response plans that minimize the impact of any given incident to the management and leadership of the actual response team during an incident. IRL continues through the recovery/cleanup process by assessing where the incident response plans can be improved.
Effective Incident Response Leadership also recognizes three basic truths. Until your organization embraces these truths, there will be an artificial ceiling on how effective the security program can be…
Basic Truth #1: Assume You Will Fail
Ask yourself this quick question: â€œHow many compromised hosts are on my network?â€
If your first gut response was â€œnoneâ€ then you might have some rethinking to do. It’s natural to develop a sense that all of the money, effort, and resources it took to build your security environment will keep all of the evildoers at bay. But if you (and the team you lead) begin to operate under the assumption that nothing bad can happen, you will either miss it or react inappropriately when the inevitable incident occurs.
Compromised hosts can take many different forms. It may be a file server that’s functioning as a SPAM relay, it could be a workstation that is part of a bot network, it may be a database server that has a rootkit installed. There are a multitude of methods and techniques to identify and locate hosts using firewall logs, DLP, anti-virus, and so forth. It’s a major IRL responsibility to allocate resources to this work.
Basic Truth #2: Have A Workable Plan, Or Else
How many of us really do regular exercises of our incident response plans? Exercising workable plans that give your team the direction it requires and the flexibility it needs is a low-cost, high-payback activity that builds esprit de corps and keeps your team sharp and ready. Lack of a workable plan will delay your response, make forensic investigations more difficult, and cost you time and money you didn’t need to spend.
There are always challenges to the drive to exercise plans. â€œWhy waste time on this?â€, â€œWe’re too busy.â€, and peer leaders not making matrixed resources available are a constant refrain that IRL needs to overcome.
Basic Truth #3: Communicate This To Your Boss
Telling your boss you are assuming you will fail can be a tough conversation. The only way to survive it with any sense of dignity and professionalism is to create a series of dialogues with your leadership to explain your incident response program, methods, and assumptions. You can make this a career enhancing discussion by demonstrating your knowledge of the needs, objectives, and goals of the business. You will be able to set realistic expectations for your team and be able to clearly communicate what it will take to move your team to the next level. Demonstrating the fact that success is defined by effectively leading your team through the entire range of security tasks (prevention, detection, response) and not by simplyÂ saying â€œdon’t get hackedâ€, will enable you to truly succeed to the benefit of your organization.
Over the next several articles we’ll dive deeper into each of these Basic Truths, and show realistic steps and obtainable objectives to improve your Incident Response Leadership.