Components of Successful Incident Response Teams

Incident response is an important part of any cybersecurity program. There have to be protocols in place for when an incident occurs. One of the first things a startup should do when implementing cybersec measures is to draft an IR program. It’s not a question of “if” a breach or incident will happen, it’s a question of “when.” Being prepared is vital to having a successful outcome.

The most successful IR programs have a team of people who are in designated roles who come in and triage the incident immediately. They are a cross section of different facets of the company and are people who can hyper-collaborate and coordinate to triage quickly. They work within a cultivated pattern of trust. The size of the team doesn’t matter, it’s better to have people in the meeting from all areas because someone could have experience with something that’s not technically under their umbrella. They can help, or may offer to help, in an area outside of their job scope simply because they have prior contextual experience. But you won’t know that if they aren’t in the meeting. The IR team will follow the common steps: Prepare, Identify, Contain, Investigate, Eradicate, Recover, Follow up. Incidents are tracked and escalated as appropriate.

Anything that can be automated should be automated. The fewer people you have to wake up in the middle of the night, the better. Ideally, 100% of all immediate incident responses should be automated, where no one wakes up in the middle of the night, and a report is waiting at the office in the morning. When you see what action has been taken by the system, you can then diagnose a weakness and make adjustments as needed. The key to automation is knowing what normal is and setting parameters so that anything outside your normal is caught and reacted to.

***Click here for full text***

Originally published at on June 9, 2020.