If You Are Doing Incident Response, You Are Doing It Wrong

I’d been thinking about this for awhile, but conversations with Rob Lee and then a presentation with him really helped me clarify my thinking on this issue. Here goes:

If you are doing incident response, you are psychologically, if not operationally, in a reactive rather than proactive mode. To do it right, incident response needs to be part of your ongoing daily business process. True incident response only occurs during major breaches. As part of your incident management, you proactively – days, months, even years in advance – address the issues that might create a need to respond to an incident.

By managing incidents rather than responding to them, you:

• Reduce the severity of the incidents that do occur.
• Reduce the number of incidents that do occur.
• Shift from responding to incidents to managing incidents as part of your normal operations
• Reduce unforeseen expenses related to incident investigations
• Increase your visibility within the business, and thus the support for your organization
• Strengthen security posture (Thank you to Corey)
• Reduce stress on your staff and increase their job satisfaction (unless they are adrenalin junkies)

---

An incident management mindset depends on accepting a truism:

Compromise Is Inevitable – Something truly malicious has been in, is in, and will be in your environment.

If you accept that compromise is inevitable, why wait for it to happen? Why not get ahead of it, reduce its impact, and increase your resilience?

Which leads me to my second point – traditional emergency management has been doing this for decades. If you do a search for “Emergency management cycle”, you will find many images similar to the following:

Tornados, earthquakes, fires, automobile accidents, heart attacks, and many more emergencies happen daily. Rather than treating these as one off incidents that require all hands on deck, emergency services plan, recruit, train, and respond in a very calm, business like manner because it is their normal business. (I speak from 15 years of emergency management experience. Find a fire fighter in your organization and run this past them.) When a fire engine rolls up to a fire, does everyone jump out, run around, and add to the chaos? No, they respond in a very consistent, calm, and methodical manner.

Take a hard look at ICS – Incident Command System. FEMA has several short, online courses to familiarize you with it. Step back and think about how it might apply to your organization. The modular, scalable nature of ICS enables effective response to incidents by multiple agencies. Sounds like something that might apply to a breach investigation? (You don’t need to buy into all the labels. Just think about the core concepts.)

In closing, let me ask you to think on two points:

• Manage incidents, and the entire lifecycle, in a way that enables you to treat incidents as part of your normal operational tempo.
• Pay attention to how traditional emergency management works and learn from them. An enormous amount of thought and effort has been invested in emergency management already. Build on that rather than try to recreate everything.