What is security incident response (SIR)?

Security incident response is a strategic approach to identifying, prioritising and containing a cyberattack, as well as managing the resolution and aftermath of such an attack.

Cyberattacks are like snowballs rolling down a hill; they tend to start small. Unfortunately, too few businesses have the right resources or processes in place to fully mitigate these threats before they proliferate. And when cyberattacks are allowed to snowball from minor incidents into major business risks, they can have devastating consequences. Research shows that it takes companies 128 days on average to detect a breach. That’s four months, during which an attacker can steal data, damage your systems and disrupt your ability to do business.

Security incident response (SIR) is designed to help organisations respond to these kinds of network intrusions before they impact their business. Structured to handle many kinds of cyberthreats and security incidents, SIR establishes proven and scalable workflows and procedures that security operation centres (SOC) and incident response teams can use to minimise impact on the business and reduce recovery times.

Security incident response is a subcategory of more-general incident response initiatives that also cover non-security-related issues. SIR is designed specifically to address malicious attacks against a company’s digital systems. This includes (but is not limited to) the following categories of security incidents:

Computer system breach

A computer system breach, also called a data breach or IT security breach, occurs when an unauthorised threat actor gains access to a company’s computer data, software applications, networks or devices.

Unauthorised changes to systems, software or data

Threat actors, both internal and external, who gain access to an organisation's networks may attempt to make changes to various tools, apps, data or other sensitive systems.

Loss or theft of equipment storing sensitive data

Unencrypted hardware may pose a serious threat should it fall into unauthorised hands. If business devices are lost or stolen, companies must have plans in place to address the security risk.

Denial of service (DoS) attack

Sometimes the goal of a cyberattack isn’t to steal data; it’s to cause disruption. A DoS attack floods the target network with traffic, overloading its capacity and forcing a shutdown.

Interference with the intended use of IT resources

Cybercriminals that gain access to a company’s systems may attempt to take control of IT resources or tools, which often forms the basis for a Ransomware attack.

Compromised user accounts

Often, the quickest way for an attacker to gain access is through hijacking an authorised user account. Compromised accounts can be especially difficult to detect.

Just like the snowball that grows as it goes, unaddressed and uncontained security incidents will almost always escalate. This can mean everything from lost user credentials and compromised company and customer data, to expensive and reputation-damaging down time, to total system collapse. Security incident response empowers SOC teams with the correct resources, tools and processes to locate and prioritise those security incidents before they have the chance to start rolling.

By establishing best practices, automated and collaborative workflows and step-by-step threat mitigation plans that cover each phase of threat response, SIR exists to stop intrusions as quickly as possible and to provide companies with proven and scalable response strategies for recovering quickly after the breach has been contained and eliminated.

In addition to ensuring a fast recovery from potential data-breach events, security incident response helps companies meet regulatory compliance standards, such as those required by law within sectors such as healthcare and financial services. Finally, SIR protects brand reputation that might otherwise suffer permanent damage as a result of a successful breach.

Although your security incident response may include tasks for every level of your organisation, such as IT, risk, HR and legal, most of the responsibility will fall to your incident response team. These teams typically consist of the following roles:

Incident response managers

An incident response manager takes the lead in incident response, overseeing actions, prioritising threats and acting as the liaison between the response team and the rest of the organisation. Management support is essential for security incident response plans to be effective, which is why incident response managers must secure buy-in from C-suite executives before any plan can be implemented.

Security analysts

Security analysts are the ‘boots on the ground’ during the incident. These analysts should be trained to identify actual incidents from among potential false positives, determine the time, location and details of the incident and locate and maintain any evidence that may have been left behind by the intruder.

Threat researchers

Finally, threat researchers attempt to define the severity and extent of the breach. They search the internet for sensitive information that may have been extracted from company systems. They also assist in building a database of previous incidents to improve the company’s threat intelligence.
Each of these positions plays a key role in responding to and recovering from a security incident. Some businesses choose to outsource some of these responsibilities, but whether you build your team entirely in-house or contract it out, your incident response team will be integral to ensuring your organisation correctly follows your security incident response plan.

For security incident response to be effective, it must be fully prepared and ready to implement long before the security incident in question ever occurs. A security incident response plan (SIRP) is a formal, official set of documentation that clearly details the actions that must be taken at every stage of a company’s security incident response. At the same time, the SIRP should outline security-response roles and responsibilities throughout the organisation and address how these roles should communicate and interact within established response protocols.

Because the SIRP is designed for fast deployment during the most critical early hours of an attack, it must be clear, unambiguous in terminology and language and easy to follow. SIRPs often include or reference a library of incident response playbooks.

At its most basic, a SIRP is a set of directions for response teams to follow, allowing them to identify threats, respond effectively and reduce the impact of the security incident overall with speed and accuracy.

Because there is so much riding on how rapidly a company can deploy their response strategy, most SIRPs follow an established format consisting of six key stages:

1. Preparation

The first phase of incident response is dedicated to preparing IT, SOC and other members of response teams to handle threats as they arise. This will likely be the most important stage of your SIRP and must consider employee response training, securing the right funding and approval and establishing documentation standards. Many companies choose to engage in mock drills to help everyone involved become familiar with their responsibilities.

2. Identification

Because a breach may originate from many different areas, it is essential that response teams have access to procedures for identifying and validating potential threats before escalating them to the status of verified security incident. The identification stage must be capable of determining when an event occurred, how it was discovered, what areas it may have impacted, how much of an effect it may be having on current operations and whether the point of entry is known.

3. Containment

With the threat fully verified, the next phase is to prevent it from moving further through the system. Containment is an essential step and should not be skipped over in favour of moving directly into eradication; simply deleting the malware may ruin your chances to gather evidence you can use to strengthen your network against similar attacks in the future. Disconnect and quarantine compromised systems and if possible, deploy back-up systems to prevent loss of business operations. Patch all your systems, review remote-access protocols and have all administrative accounts change their login credentials.

4. Eradication

Once the threat is contained and all relevant data has been collected, you can now begin securely removing any malware from the system. It is essential that all malware be eliminated; a non-thorough sweep that leaves behind traces of the attack may still allow unauthorised access to your data and enable the malware to relaunch in the future.

5. Recovery

With your systems patched, your passwords updated and the malware fully eliminated from your systems, restoring your networks to full operation should be your next priority. Be sure to closely monitor this process for any signs of ongoing infiltration.

6. Review and Refinement

Mitigating a threat is good, improving your systems to prevent security incidents from impacting your business is better. After the incident is correctly dealt with, discuss with response team members and other stakeholders to identify and document what you’ve learnt from the experience. These lessons can then be applied to better prepare your systems for future incidents, optimising both prioritisation and response.

As security threats continue to grow in frequency, complexity and sophistication, security incident response has gone from competitive differentiator to essential security standard. But when every second counts, security teams are discovering that they simply do not have the power to fully investigate, verify and respond to every possible security incident as it occurs. Service Now provides the solution.

ServiceNow Security Incident Response transforms the standard approach to IT Security investigation, response and recovery, by applying advanced automation capabilities and centralising security operations data, insights and reporting on a single platform. Empower and scale response teams with automated prioritisation, triage, data analysis and other essential response tasks. Then take things further with real-time insights, detailed playbooks and full network security visibility.

Learn more about how ServiceNow can optimise your approach to security incident response and stop future cyberattacks before they start.

Get started with SecOps

Identify, prioritise, and respond to threats faster.

Loading spinner