Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/27/2020
06:35 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Top 10 Cyber Incident Response Mistakes and How to Avoid Them

From lack of planning to rushing the closure of incidents, these mistakes seriously harm IR effectiveness.
Previous
1 of 11
Next

A well-run cyber incident response team (CIRT) can prove the ultimate backstop for a cybersecurity program by stopping an early intrusion from turning into a full-blown data breach. At the very least, a CIRT can minimize the impact of breaches when they do fly under the radar.

While many cybersecurity organizations today field early CIRTs, not nearly as many run them well.

According to cybersecurity experts who have helped organizations clean up after disastrous security breaches, many of those events were made so much worse due to incident response (IR) failures. And those failures tend to cluster around the same common IR mistakes that enterprises make time and again.

The pundits point to the following top 10 mistakes, along with advice on how to avoid them.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. 
View Full Bio

Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:38:38 PM
Playbooks
It's not good enough to just have an overarching and strategic IR plan. IR teams also need tactical plans for common scenarios so they shave time off their mean time to respond and streamline operations. True. Come up with a playbook and keep it up to date.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:36:41 PM
Collaboration
Successful IR programs enable teams to collaborate closely and handle incidents together more swiftly, whether responders are working from an on-site SOC or remotely. Important point to make. Especially working remotely collaboratively.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:33:17 PM
Root cause
Taking the shortest path to closing cases and avoiding asking questions about root causes Obviously root cause is critical to be identified to avoid repetition.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:29:26 PM
Priorities
Alert prioritization and triage are important components of managing analytics workloads Really good point. Priorities are important but you can not leave low priorities forgotten, they will come back and bite you.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:26:59 PM
Assets
Failing to tackle things like asset inventories or data classification and management leads to a lot of mistakes Exactly. If you do not know your assets how could you protect them?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:25:08 PM
Automations
Automation can make a big difference in the efficacy and efficiency of an IR program This is really important. Not everything can be done manually and be effective.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:23:06 PM
Test
Failing to Test the Plan Another important point. Plan not tested will put you at risk.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:20:53 PM
Re: Message Matters More Than Timing
Plenty of breached companies make things worse by getting the timing right and the message completely wrong. That is true. It becomes a PR nightmare after that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:19:46 PM
Re: Message Matters More Than Timing
The timing is often dictated by disclosure requirements, and when it's not, it's only relevant in the context of maintaining trust and reputation. This makes sense. Truth will eventually come out.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:17:58 PM
No IR
No IR Plan in Place I think this is what gets most companies. They do not know what to do when there is an incident without a plan.
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/1/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Threat from the Internet--and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15478
PUBLISHED: 2020-07-01
The Journal theme before 3.1.0 for OpenCart allows exposure of sensitive data via SQL errors.
CVE-2020-6261
PUBLISHED: 2020-07-01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
CVE-2020-15471
PUBLISHED: 2020-07-01
In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c.
CVE-2020-15472
PUBLISHED: 2020-07-01
In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.
CVE-2020-15473
PUBLISHED: 2020-07-01
In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.