As mentioned in my previous blog, the core goal of incident response is to reduce attacker dwell-time as a form of risk mitigation but organizations must first define the level of risk to be mitigated. It is important to consider incident response maturity and capabilities in relation to threats relevant to the business and the scope of impact these threats can create. Business risk awareness requirements define metrics and security spend to achieve appropriate response times.
In 2013, James Webb, CISO of Appalachian State University, proposed an incident response maturity model on a time axis, which Vectra has adopted and evolved as part of our advisory security practice.
This model considers two core capabilities that are critical to incident response success:
Most security maturity frameworks imply the adoption of tools to provide linear capabilities as a layered security approach. That methodology potentially leads to overlap and redundancy, which often has a negative impact on threat awareness and response agility. It also highlights tradeoffs between detection and response capabilities that occur at every level of maturity.
By relating these two attributes to the incident response process, maturity and capability can be defined and measured across the five stages of the maturity model based on the desired level of risk awareness.
Levels of incident response maturity
Incident response plan alignment
While time is the most important factor in incident response, time is also money. How much to spend and how much threat awareness or agility is required to mitigate business risk depends on the unique needs of an organization. These needs differ based on size, industry and compliance requirements.
Prioritizing the handling of the incident is perhaps the most critical decision point in the incident response process. Prioritization requires an understanding of the threat and risk to the organization. The classification of that risk drives the necessary maturity level of the organization.
Choosing the appropriate level
The level of maturity an organization must reach for incident response is based on the requirements for such a capability. Industry-specific threats, risks and compliance requirements dictate the needs of an organization. Looking at the needs of other organizations in the same industry helps identify a good starting point for a target maturity level.
For example, a small company operating in the logistics business will not have the same requirement – or ability – to respond to cybersecurity incidents the way a major corporate organization in the finance sector or a government entity. In contrast, organizations with highly recognized brands or valuable intellectual property must enhance threat awareness by proactively hunting for attackers while maintaining the agility necessary to respond fast to the threats they find. This goes beyond a maintained plan, concrete roles and responsibilities, lines of communication, and response procedures. A formal SOC plan and process is not enough to address the risk of targeted attacks.
If you need to improve your security operations and enhance your incident response capabilities, discover Vectra Advisory Services for a range of offerings tailored to your organization’s specific needs.
Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.