Incident Response: 4 Crucial Components

Mike Porter
| 4/28/2016

Protecting Against Future Breaches

Given the proliferation of security breaches across all industries, the prevailing wisdom in the cybersecurity community is that you must assume your organization will be breached at some point in the future. In this context, emphasis has been placed on the development of incident response procedures. Effective incident response inherently depends on four components: training, communication, technology, and disaster recovery. Any weaknesses in these components can greatly hinder an organization’s ability to detect, contain, and recover from a breach.

Although addressing these four areas in the context of incident response procedures will not guarantee a successful response, neglecting them can result in failure to effectively manage the risks associated with a cybersecurity incident. Let’s take a closer look at each of these four components.


In addition to making sure that the incident response team is properly trained to handle a cyber incident, company leaders must conduct appropriate training across the organization so that employees can be the first line of defense for incident identification. A receptionist might notice a suspicious visitor. A support specialist might receive an abnormal request. Anyone in the organization might receive a malicious email. Expectations for how to respond to these types of situations should be defined from the outset and reinforced periodically through additional training and testing.

Key Questions:

  • Do employees at all levels know how to respond if they suspect a cyber incident has occurred?
  • When an employee suspects that an incident has occurred, does that person know who to call?  


In a breach scenario, communication takes place both internally and externally. Internally, the incident response team quickly needs to communicate a suspected incident to management and peers. A variety of teams, possibly diverse in skill sets and locations, needs to coordinate containment activities. Leadership needs to communicate with the entire organization to ensure that employees are aware of the situation and act accordingly.

External communication is also important. Vendors and support organizations may need to be contacted to assist at any phase of incident response. Law enforcement may need to be briefed. And of course, there is the public disclosure of a confirmed or suspected data breach. Don’t forget: 47 states have breach notification requirements, so make sure that you are aware of any regional communication requirements.

Key Questions:

  • Does leadership have a plan to communicate with the whole organization even if critical infrastructure, such as email, is unavailable?
  • Which external parties will need to assist in incident response and will they be available when needed?
  • What are the notification requirements for the organization’s industry and location?


Accurate and effective technology solutions are necessary to collect, store, and process log and alert data. Security event logs can be crucial for the identification, containment, and post-mortem analysis of a cybersecurity incident. Incomplete or inaccurate log data can make an effective incident response very difficult or – at worst – make it completely impossible. These logs should be collected and processed at all levels: network, system, and application. Security alerts based on logs and system activity are possibly the best way to identify an incident and, with a little luck, respond before any damage is done.

Key Questions:

  • Are security event logs being captured and security alerts being defined based specifically on incident indicators?
  • Are alerts being ignored because they are too numerous or generally useless?

Disaster Recovery

This final area is arguably the most vital component of incident response. Once the dust settles and the immediate risk has passed, you will need to quickly get systems fully operational. Business continuity procedures are also essential to keep the business functioning in the midst of an incident. In the end, the effectiveness of threat identification and containment is irrelevant if the resulting damage cannot be fixed.

Key Questions:

  • Have disaster recovery capabilities been tested for a breach scenario?
  • Am I confident that even a sophisticated attacker can’t tamper with data backups?

Are You Ready?

Although training, communication, technology, and disaster recovery are probably addressed in some manner or another in all mature organizations, reframing these topics in terms of a cybersecurity incident response can provide new perspective and be useful in helping you to spot weaknesses in current procedures. Consider taking another look at your incident response plan and asking yourself, “Is my organization really prepared to respond to a security breach?”