Maturing towards Team-Based Incident Response

March 11, 2016

In our last blog post, we talked about how, as an organization’s security posture matures (often along with the organization itself), its strategy starts to move beyond prevention to focus on detection and response. In general, the larger or more valuable the company, the more security incidents it must respond to, and the more complex those incidents can be.

In turn, effective incident response demands more responders with a wider spectrum of skills, who can work together to identify and scope incidents. To make the new IR team as efficient as possible, more than one person needs to access the others’ work at any given time.

Filling communication gaps

Each incident offers an opportunity for a responder to build knowledge. What’s normal for their network? How does this change over time? What data or behavior can the responder consider suspicious within these parameters?

Responders working as part of a team, whether as part of an internal security operations center (SOC) or a consulting team, have to be able to communicate these pieces of information in order to make effective decisions, and to provide effective counsel to key stakeholders.

However, “do it yourself” incident response and digital forensics tools may lack the kind of centralized storage or reporting that responders need to communicate findings. Meanwhile, endpoint threat detection and response (EDR) tools may be too infrastructure-heavy for smaller, still-maturing organizations or remote consulting teams.

Making the most of your team’s skills

Most incident response teams have both junior and senior responders working an incident. Senior responders are more likely to have the deep-dive digital forensics, malware analysis, and other skills needed to explore especially tricky problems. They need to be able to focus on those issues without spending too much time on tasks that don’t make use of their expertise.

Because junior responders are still building those types of skills, they’re in an ideal position to perform basic triage and other tasks. However, senior responders need a way to review their work to ensure they didn’t miss anything, are effectively prioritizing systems, and are otherwise sticking to the response plan.

Team visibility streamlines incident response

Just as an individual responder needs a combination of automation and human review to avoid missing critical indicators, team responders need full visibility into what each person has seen and is seeing simultaneously. This helps to identify any gaps as well as the incident’s scope, and improves informed decision-making around which systems to prioritize for containment and remediation.

Cyber Triage 1.5 offers a server-based version that allows multiple clients to leverage the same database and multiple simultaneous collections. While individual responders can start and pause work according to their own workflow and schedule needs, any data they collect is aggregated and accessible to other responders at any time.

The server storing the data is local to the organization’s own network, so there’s no risk of leakage of sensitive data. Responders can tag their own and one another’s work, improving correlation results.

To see Cyber Triage 1.5 in action, visit our exhibit at the SANS Threat Hunting & Incident Response Summit April 11-12 in New Orleans, LA, or contact us for a free demo.

Blog-CTA-red

photo credit: DSC_0157 via photopin (license)