Every security professional knows it’s only a matter of time before their organization is breached. And even though most security-conscious organizations have implemented procedures and products to facilitate the incident response process, many security decision-makers find much more of a challenge in communicating the ongoing IR process to their management. That is not really a surprise; members of upper management are not necessarily security savvy, and the priorities of the security professional do not necessarily align with their priorities.
Cynet addresses this challenge with a new Incident Response Reporting for Management Presentation Template, providing a clear view of the IR process and the output of this which is typically presented to upper management. The PPT aims to give CISOs and CIOs an easy and intuitive way to communicate to management the ongoing IR process and its conclusion.
By using Cynet’s new IR PPT template, security professionals will be able to more easily show upper management two main points that are of great concern during any incident response:
- Knowledge that the breach is under control: the main goal of incident response is first and foremost gaining control, achieving transparency of what has taken place and what items still await remediation. This means defining which investigations still must be carried out and what parts of the attack chain may still lie uncovered.
- Understanding breach cause and implications: When it comes down to it, management is concerned with productivity and not in what threats have gotten into the environment. Hours, manpower, data breach – these are the items on the top of the executive decision-maker’s mind. The ability to map and present the attack chain through time is integral to getting management on board, with a full understanding of the importance of actions that must be taken – especially when the IR process is ongoing and still incurring cost.
Utilizing the SANS/NIST framework, the IR template includes the below stages:
- Identification: Presence of the attacker is detected. Issues to be examined include whether the attacker was detected by a third-party, how advanced the attack is within the phases of the ‘kill-chain,’ risk assessment, and what steps will be taken with internal resources or whether a consultant service provider needs to be brought into the picture.
- Containment: As with any incident, the first step of triage is to focus on the main hemorrhage, the main attack point. Then there is the process of deciding which endpoints, users, servers should be taken offline, evaluating current status of all entities, and deciding how to move forward.
- Eradication: A complete cleaning must take place, eradicating all malicious infrastructure and activity, then providing a full report of the attack chain development, its objectives and an analysis of overall impact on business (manpower hours invested, data breached or lost, regulatory issues, etc.)
- Recovery: An analysis must be made of rate of recovery and return to full function in regards to endpoints, servers, applications, cloud workloads and data.
- Takeaway Lessons: The final step is to review and assess lessons learned, including how and why the breach occurred, what were the items which enabled it (was there a lack of security in place, was it an issue of human error, etc.?). Then methods of improvement should be assessed – what should have been done differently, where can security be preserved or further improved upon, across the IR process timeline.
Obviously, each security incident is different. Whereas in one case, identification and containment might be implemented as one, in another, containment might be a more drawn-out process, requiring multiple presentations to management on its progress. For this reason, the PPT template is modular and can easily be adjusted to the security professional’s needs.
Keeping management in-the-know and involved is integral to bringing critical decision-makers on-board during the IR process. The definitive IR Reporting to Management PPT Template provides an easy to use tool for security professionals to utilize in presenting their efforts, to clearly show how a security breach is effecting their organization, and what must be done to reclaim the organization’s secure status.