As organizations prepare for incident response, they should develop an inventory of their security controls and understand their own capabilities for incident response. The preparation phase should include establishing communication protocols and incident-handling playbooks that the organization will follow when an incident occurs. First responders should know how to activate the organization’s incident response capabilities quickly and pull together the experts who will conduct most of the response. The strategy must spell out individual responsibilities and lines of communication during an incident, and each person must clearly understand his or her role. Responders must also have access to system and application inventories and documentation to help them quickly zero in on affected resources.

After developing an incident response strategy, an organization should conduct a gap analysis to identify flaws in its approach that require remediation. It’s far better to discover a flaw before an incident, when the organization has time to remediate it, than to wait until disaster strikes to realize that the security controls in use are not adequate to support the incident response effort. The gap analysis should include a prioritized remediation plan that will serve as a blueprint for improving the organization’s security posture.

It’s impossible to understate the importance of strong monitoring in any incident response strategy. An organization’s security information and event management platform is the focal point of many cybersecurity efforts, including incident response. Without quick and complete access to information, incident responders are flying blind. Cybersecurity teams should continually ensure that the SIEM tool is operating effectively and that it is receiving information from all relevant sources in the organization. This becomes a complex task in a rapidly changing technology environment, as new systems must be connected to the SIEM as they are installed, and the SIEM must be properly configured to interpret and correlate data feeds from these new sources.

Automation plays a crucial role as an enabler of incident response. Organizations that go beyond simple SIEM deployments and incorporate security orchestration in their workflows will reap tremendous benefits in their incident response programs. In some cases, automation platforms will be able to respond to an incident and conduct a full recovery without human intervention. In other cases, automation will rapidly pull together the information required by a human analyst, reducing response time and improving the organization’s ability to quickly contain an incident before it spreads.

Incident response is a learned discipline that depends on rapid action by knowledgeable people. Fortunately, many organizations don’t need to activate their incident response programs frequently. While this is, of course, a good thing, it also means that incident response skills can get rusty, threatening the ability of responders to handle future incidents. CDW recommends that organizations conduct incident response testing annually to keep skills sharp.