A breach is coming -- is your agency ready?
- By Kris van Riper, Scott Sherman
- Jan 15, 2016
If recent high-profile incidents are any indication, the number of attacks will only increase in the years to come.
Advanced threats are spreading at an alarming rate, putting agency data at risk and making attacks almost inevitable. In July, the Government Accountability Office reported that information security incidents involving federal agencies skyrocketed from 5,503 in fiscal 2006 to 67,168 in fiscal 2014.
If recent high-profile incidents are any indication, those numbers will only further increase in the years to come. Agencies should assume that they are at risk for a breach and implement processes for post-incident recovery.
A well-designed incident response plan gives federal agencies the tools necessary to respond to an attack, investigate the causes of a breach and manage both internal and external communications. Such plans should involve a three-pronged approach:
1. Define the conditions required for a response. Agencies must differentiate between security "events" and security "incidents." CEB defines a security event as any observable occurrence in a system or network — for example, a user connecting to file sharing or a firewall blocking a connection attempt. By contrast, a security incident is an event that results in or presents an imminent threat of a violation of computer security policies, acceptable-use policies or standard security practices.
All security incidents are security events, but not all events are incidents. Security incidents include denial-of-service attacks, infiltration by malicious code or unauthorized access to sensitive information. Those incidents should trigger the agency's response process, but if agencies were to automatically respond to every security event, they would waste time and resources chasing endless false alarms.
2. Create an incident taxonomy. The second step involves the creation of a standard set of labels known as an incident taxonomy. It allows agencies to categorize incidents within well-defined parameters to more quickly identify common patterns, which in turn enables a faster response to common types of incidents and streamlines trend analysis.
Although 83 percent of organizations use a taxonomy system, there is no overwhelming preference for a specific type, according to CEB's research. However, the taxonomy an agency selects is not as critical as the fact that it chooses and maintains one for consistency.
3. Follow the protocol for recovery. Once agencies have categorized their triggers and taxonomies, they should focus on recovery protocols, which are the most valuable accelerators to a rapid recovery. In order to adopt effective response protocols, agencies should create processes that span four distinct phases:
- Preparation -- Select a specialized incident response team, a single point of contact and a system for evaluating and tracking the external threat environment. In our research, 89 percent of organizations have designated a single point of contact for incident response coordination and leadership.
- Detection and analysis -- Develop a strategy for monitoring a variety of channels that are responsible for detecting incidents. And create consistent severity categories that align with levels of resource allocation and response timelines.
- Containment, eradication and recovery -- Establish workflows for responding to various incidents, including formal action plans that empower incident response teams to react quickly. Also, ensure that officials are communicating clearly with all stakeholders and maintaining processes that enable the collection of evidence for analysis.
- Post-incident response -- Require postmortem assessments that facilitate organizational change and reinforce the importance of operational improvement.
By assuming that system attacks are imminent and planning accordingly, federal agencies can limit the actual attack and manage the resulting impact.
Kris van Riper is a managing director at CEB.
Scott Sherman is a senior executive adviser at CEB.