Coordinated Response
Services and tools for incident response management

Ubiquitous Limitations with Incident Response

A data forensic expert, often involved with response to a cybersecurity incident, identified 9 limitations he repeatedly experiences with organizations when he participates in their incident response.

These 9 weaknesses or limitations hinder incident response efforts – costing time, money, and potentially the organization’s reputation.

Addressing the 9 limitations makes a good set of New Year’s resolutions. These resolutions form the outline of a good plan for incremental improvements throughout the year to come.

The table below addresses these limitations in the form of an incremental plan. It’s divided into 3 phases: Phase I – Lay a foundation; execute tasks that would result in time savings if an incident occurs; Phase II – Pluck low hanging fruit; execute tasks that would immediately improve your security profile and reduce the likelihood of an incident; and Phase III – Plan and raise your security profile; add procedures and tools to enhance your cybersecurity incident response capabilities.

Phase I Phase II Phase III
Inventory and Inventory Control Legacy Equipment and Software – Low Hanging Fruit Legacy Equipment and Software – Incremental Reduction
Review or Develop the Inventory of IT Assets:

  • Servers, OS, and storage arrays;
  • Desktops, laptops, and mobile devices;
  • Network components and connections;
  • Applications and databases;
  • User accounts, especially, administrative; and
  • Identify legacy components.
 Through the inventory process identify low hanging fruit – remove components that can be retired or replaced easily. Develop a plan to remove remaining items through a phased approach. Include a budget and a return on the necessary investment. Tie investment to risk reduction and value to the organization. Implement a cost / benefit approach to incrementally eliminate legacy components. Include remaining legacy components in a risk register; plan to address these components next year.
Change Control Harden DMZs Network Visibility
Along with inventory control, establish and follow policies and procedures that control changes to the IT infrastructure.
Limit end users’ ability to install software. Limit the ability to modify hardware and software configurations. Audit changes.
Too often, DMZs look good on paper, but have been degraded with time.
As a result of the inventory process, review the DMZ, close gaps, harden it, and update the documentation.
Improve the network inventory – know the scope of the network and its components. Improve network monitoring tools.
Administrative Accounts Staff Capabilities and Requirements Incident Response Capabilities
Identify and limit administrative accounts. Employ least privilege and separation of privilege. Review staff capabilities and requirements. Develop plan to fill gaps through hiring, training, realigning. Review the risk assessment and incident response plan. Identify gaps and a plan to fill them.
Users – Policy Users – Education and Training Users – Monitoring
Review / establish policies including acceptable use of IT assets and privacy. Address mobile devices especially “bring your own devices” (BYOD). Educate users on the policies; establish their acceptance of the policies. Develop and implement awareness training. Establish tools to monitor users especially users with elevated privilege.

A Coordinated Response to Cybersecurity

Phase I might include an incident response plan review. The response plan includes input from the following activities: inventory, privilege accounts, and staffing requirements. It provides input to the staffing requirements, legacy equipment, and incident response capabilities. So, if you resolve to improve your cybersecurity posture in the coming year, Coordinated Response can help you get started with a response plan review.