White Paper

Key Components of an Incident Response Strategy

Preparing for a breach helps organizations bounce back quickly.
by: Nick Nelson |

The number and sophistication of cyberthreats is growing continuously. Not only are cybercriminals more organized, they’re also more effective. 

In this environment, a breach may almost be inevitable. Organizations must plan beyond how they intend to keep cybercriminals out and also consider what they’ll do once an attacker gets in. Building a strong, capable cybersecurity incident response program creates resilience against these threats. An organization that quickly detects security incidents as they occur can move rapidly to contain and eradicate the threat and return to normal operations more quickly. 

Organizations that succeed at incident response generally rely on a formalized and documented incident response strategy. This strategy should be developed with input from IT leaders, executive leadership, functional line of business leaders and subject matter experts from across the organization. Incident response efforts involve cybersecurity teams, business leaders, attorneys, public relations teams and others, so strategic planning should also include those stakeholders. The plan they develop must address known vulnerabilities and also consider the need to uncover unknown vulnerabilities in the future.


The median number of days an attacker was present in a victim’s network in 2019 before being detected, a major decline from 416 days in 2011

Source: FireEye, “M-Trends 2020: FireEye Mandiant Services Special Report,” February 2020

Prepare for Incident Response

As organizations prepare for incident response, they should develop an inventory of their security controls and understand their own capabilities for incident response. The preparation phase should include establishing communication protocols and incident-handling playbooks that the organization will follow when an incident occurs. First responders should know how to activate the organization’s incident response capabilities quickly and pull together the experts who will conduct most of the response. The strategy must spell out individual responsibilities and lines of communication during an incident, and each person must clearly understand his or her role. Responders must also have access to system and application inventories and documentation to help them quickly zero in on affected resources.

Perform a Gap Analysis

After developing an incident response strategy, an organization should conduct a gap analysis to identify flaws in its approach that require remediation. It’s far better to discover a flaw before an incident, when the organization has time to remediate it, than to wait until disaster strikes to realize that the security controls in use are not adequate to support the incident response effort. The gap analysis should include a prioritized remediation plan that will serve as a blueprint for improving the organization’s security posture.

Monitor and Automate

It’s impossible to understate the importance of strong monitoring in any incident response strategy. An organization’s security information and event management platform is the focal point of many cybersecurity efforts, including incident response. Without quick and complete access to information, incident responders are flying blind. Cybersecurity teams should continually ensure that the SIEM tool is operating effectively and that it is receiving information from all relevant sources in the organization. This becomes a complex task in a rapidly changing technology environment, as new systems must be connected to the SIEM as they are installed, and the SIEM must be properly configured to interpret and correlate data feeds from these new sources.

Automation plays a crucial role as an enabler of incident response. Organizations that go beyond simple SIEM deployments and incorporate security orchestration in their workflows will reap tremendous benefits in their incident response programs. In some cases, automation platforms will be able to respond to an incident and conduct a full recovery without human intervention. In other cases, automation will rapidly pull together the information required by a human analyst, reducing response time and improving the organization’s ability to quickly contain an incident before it spreads.

You Play Like You Practice

Incident response is a learned discipline that depends on rapid action by knowledgeable people. Fortunately, many organizations don’t need to activate their incident response programs frequently. While this is, of course, a good thing, it also means that incident response skills can get rusty, threatening the ability of responders to handle future incidents. CDW recommends that organizations conduct incident response testing annually to keep skills sharp.

To learn more about how you can improve your incident response, read the CDW white paper “The Need for Effective Incident Response.”