From the time an information security incident occurs, every minute is crucial. The last thing you want is to have to vet an outside incident response team and take time to choose one to help you contain the compromise.
Whether you’re experiencing an incident now or simply want to be prepared in case, choosing a cyber incident response team is a task that can eat up crucial time.
You can speed up the search process. Look for experience and credentials, timeliness, and the ability to mitigate damages in a potential incident response partner.
Experience
How long has the incident response provider been in business?
The need for help with information security is only continuing to grow. As a result of the increased demand, it seems like new companies spring up every day. It may be important to you to support small businesses. It’s also important to be sure the provider you choose to help you through an incident is well-established.
If the incident management company is only a year or two old, you may end up inadvertently being a guinea pig for new employees, new team leaders, new processes, and unknown issues they need to work on company-wide. It’s best to find a provider that has already walked the road you’re traveling so they don’t get lost trying to help guide you down a difficult path.
An information security firm that has a proven track record with your business size, industry, and challenges is ideal. A shop that has opened up in the last couple of years is much less likely to have this experience.
How long have they had an IR offering?
Similar to the reasoning behind wanting to choose a partner who has been in business long enough to know the ropes, it’s important to find a provider who has extensive experience specifically in handling incidents.
Attackers vary their tactics and come up with new, sneaky cyber threat methods for stealing your sensitive data every day. It’s vital that your provider has experience understanding how these attackers work, what they may do within your environment, what critical assets they might be after, and where they will go next. Your provider should have enough experience directly dealing with incidents as a company to give you the confidence they’ll be able to handle yours.
Are they pointed incident response providers?
Next, we’ll talk about the Cyber Security Incident Response Team (or CSIRT) itself. Do all CSIRT members have experience at more companies than the one they work for now?
The difference between breadth of experience and depth of experience is important; they need both.
And are they focused?
If the incident response provider doesn’t have security analysts and resources dedicated solely to responding to incidents, they may not have the expertise needed to complete triage, handle the incident in a timely manner, or both.
What are their team’s credentials?
In addition to years of experience and focus, certifications and other officially recognized credentials of quality can help you determine whether your CSIRT is qualified to handle your incident.
Industry certifications such as GIAC Certified Forensic Analyst (GCFA) or Certified Incident Handler Engineer (CIHE) help give you the confidence that your CSIRT has gone through necessary steps to prove their abilities as incident responders. It’s not a guarantee that a certification will make them good at handling security breaches, but it legitimizes their efforts in trying to be one.
Has the incident response provider worked on incidents in your industry?
As you likely know, certain nuances exist among industries that make their information security landscapes unique compared to others.
Regulatory bodies have requirements for incident handling and breach notification much like they do for proactive security measures and general data protection. It’s important that your incident response provider understands the circumstances that exist within your industry so that they can thoroughly mitigate the risk.
Execution
Although it’s important that your CSIRT has depth and breadth of experience both with incidents and the nuances of information security within organizations like yours, it’s equally important that they can respond effectively to your incident and that they will do what they promise. There’s no way to guarantee your provider will be able to deliver until they have finished the work, but there are some good signs to look for when evaluating their ability to execute.
How quickly can they act?
Skilled CSIRTs know that time is of the essence when dealing with an information security incident. Each minute that the attacker has access to your system means longer system down time, more stolen records, and more opportunity for escalation.
Only work with providers who offer a guaranteed SLA, and make sure the SLA lines up with your expectations.
Do they have a robust team?
Even if they’re qualified, a small team may be stretched thin or burnt out. A larger team with verifiable industry experience and certifications will help ensure that your incident is handled quickly and correctly. There will be less potential for errors, oversights, or extra time spent waiting for the CSIRT to finish up the last job or get some much-needed rest.
Additionally, a deep bench of certified response team members ensures that the handling of your incident will continue to be treated as a priority, despite the fluid and unexpected natures of incident response.
Will they be thorough and know where to look?
Related to experience and team size, a CSIRT with more resources at their disposal will be more thorough. They will know when to keep looking to ensure your incident is fully resolved.
Attackers often compromise one aspect of a system and then continue to move around within the environment. They can then gain access to other parts of the network. If your CSIRT finds only one point of compromise and stops looking for signs of others, you may risk additional compromise down the line—or an incomplete triage of the initial incident.
Proactive Measures for the Future
As the old saying goes, “An ounce of prevention is better than a pound of cure.”
The same is true for information security incident response.
It is far better to do your best to minimize the likelihood of an incident occurring in the first place. Implement a strong information security program. Plan for the inevitability that incidents will still sometimes occur regardless of preventive measures. Create an incident response plan and test it consistently.
These few steps can be taken to limit the damage caused by a breach.
Build a Relationship Before a Breach Occurs
Building a relationship with a CSIRT can look different depending on the team you select. Ideally it would entail vetting the team based on the above criteria.
It would also likely include some form of a retainer program, including the team learning your environment and technical systems, signing an NDA, and offering recommendations on the front end; bonus points if you can put any unused retainer fees toward other services, like penetration testing.
Budget Appropriately
The unfortunate truth is that having a quality CSIRT at your disposal isn’t free. However, when compared to the high financial, reputational, and emotional cost of a breach, it’s a no-brainer.
You will need to understand the size and scope of your organization and the data you manage to budget accordingly. Remember, a good CSIRT will offer the option to put unused retainer fees towards other preventive services.
Utilize Simple Safeguards
Complexity is the enemy of security. Just a few simple solutions are often enough to make a big impact on your security program.
Phishing training for your employees, implementing and enforcing MFA policies across all work accounts, archiving logs, and requiring your employees to use a password manager with unique passwords for each account are all relatively low-cost and low-effort solutions that can make a big impact—even despite some natural implementation challenges.
Conclusion
Although you can’t prevent every information security incident from occurring, you can reduce the impact when one does.
When searching for an incident response provider, it’s important to vet them on many criteria. This includes their team’s experience and credentials, their timeliness, and their ability to thoroughly address the incident and mitigate damages.
Before one even occurs, begin implementing simple preventative measures. This will decrease the likelihood of something bad happening—something even your new CSIRT hopes for.
We hope this guide aids your search for a well-qualified CSIRT. To learn more about our own incident response team, click here.