Policy, Plan & Playbook: Preparing a Cybersecurity Incident Response

Sponsored By: Fortinet

By Martin Pueblas, Fortinet

Staying ahead of today’s cyber-threat landscape requires organizations to be proactive and prepared. The rise of digital transformation, the shift to work-from-anywhere (WFA) models, and the increase in the sophistication of threats require a measured and consistent approach to cybersecurity response planning.

As a global leader in integrated cybersecurity solutions, Fortinet often supports customers to establish the policies and processes they need to ensure an effective Cybersecurity Incident Response (IR) program. With the emergence of Cybercrime-as-a-Service, having the right framework, tools, and guidelines in place is critical to ensuring organizations can quickly react to security breaches and limit damage.

When supporting our customers in developing their incident response framework, we focus on three key areas: policy, plan, and playbooks.

Martin Pueblas, VP Consulting System Engineer at Fortinet for Canada, Latin America, and the Caribbean

Start at the top

Establishing an incident response policy sends a powerful signal to the entire organization, as it holds the organization, employees, and executives accountable to specific rules and governance.

Developing an IR policy is foundational as it outlines core aspects of the organization’s incident response approach. A robust IR policy will define why it was created, highlight the individuals and teams within the organization responsible for maintaining, actioning, and enforcing it, and will define the types of incidents it covers.

Most importantly, the IR policy provides a mandate to develop the IR plan, a critical next step to ensuring organizations are prepared for a cybersecurity attack.

Tackling the Incident Response Plan

The IR plan furthers the policy by guiding how organizations respond to an incident. The plan should detail how the organization will detect, investigate, contain, eliminate, and recover from an incident.

An IR plan should define and cover all phases of the incident response lifecycle, from start to finish. The Canadian Centre for Cyber Security offers guidance on developing an IR plan, and organizations including the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), and SANS Institute offer frameworks that organizations can use as reference points.

While there is no one-size-fits-all approach, the plan should include a clear mission statement with related goals and objectives and a defined scope to set the expectation for any incident response. It should also outline specific roles and responsibilities, with backups and redundancies should resources be unavailable, and should enable teams to triage based on a defined list of incident types and severity, with specific procedures aligned to the incident response lifecycle. The plan should also include detailed communications steps to ensure the right messages are delivered to the right people at the right time – internally and externally.

A robust IR plan is also an evolving one. New technologies added to the IT stack, internal business churn, or regulatory changes can impact the plan’s effectiveness. Consistent training for incident response teams with tabletop exercises or red teaming allow for timely reviews of the plan and processes and can help ensure faster response times for containing and eliminating an incident.

Adding an Incident Response Playbook

While the IR plan highlights overall roles and communication requirements, the IR playbook details what actions to take. IR playbooks are especially useful because they standardize the response with steps and procedures for specific incident types, such as ransomware, data breaches, malware, denial-of-service attacks, social engineering and zero-day vulnerability attacks.

An IR playbook should cover all phases of an incident, from detection to analysis, containment, eradication, and recovery, and include the team or individuals responsible for each action.

Ongoing investment in peace of mind

Developing incident response documentation is a significant lift, but it is an important investment that can reduce the impact of a cybersecurity incident. By defining roles and responsibilities and ensuring ongoing training, IR team members will better understand their roles, leading to faster response times and limited impacts.

For this reason, Fortinet recommends that its customers review all IR documentation bi-annually and conduct a detailed review after each major incident. Revisiting IR documentation ensures that lessons learned are integrated into the process and that any organizational changes are considered against the plan.

Organizations can enlist the help of outside experts to help with the development of incident response protocols. Risk assessment services, cybersecurity consultants, and incident readiness and response services are available to help guide organizations through the process. To support customers’ security teams, FortiGuard offers a Ransomware Playbook Development Service and an Incident Readiness Subscription Service which can help organizations implement the tools and resources needed. A lack of in-house experts should never be a barrier to developing an IR plan, considering how a robust incident response can significantly mitigate the effects and damage of a cyber-attack.

With an IR policy, plan and playbook in place, security leaders can take swift, traceable, and defined actions that will allow organizations to recover quickly from a cybersecurity incident. An IR framework should be an integral part of any organization’s security hygiene best practices —and a critical investment in the organization’s business and reputation.

Martin Pueblas is VP Consulting System Engineer at Fortinet for Canada, Latin America, and the Caribbean


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Sponsored By: Fortinet