3 Steps to Building a Resilient Incident Response Plan

According to Accenture’s State of Cyber Security 2020 report, the average cost of a cyber attack for non-executives is $380,000 per incident. The report divides organizations into two categories: implementing and non-executive organizations. At the top are those who set the bar for innovation and highly effective cyber resistance.

Given the speed of modern cyber attacks, a security breach can easily lead to serious losses for an unstable business. Not to mention the fact that the costs associated with a data breach go beyond the money to jeopardize the data.

These circumstances require companies to develop a credible plan that not only prevents attacks but also mitigates them as soon as they occur. The best companies evaluate their cybersecurity based on how quickly they can detect a breach and how quickly they close the breach so that the attacker cannot do any damage.

Tolerance of risk Assessment level

The inevitable first step in the development of a viable emergency response plan is to answer the following two questions:

  • What threats could your organization face?
  • What would be the impact of a particular attack on your organization if it took place?

These questions help clarify your risk tolerance as they allow you to design possible scenarios for different types of attacks. The tolerable risk assessment determines the flow of safety investments, tools, and resources. For example, FinTech certainly has a low tolerance for data breaches, given the disastrous nature of this situation.

Management should be fully involved in the decision-making process to ensure risk tolerance, as cybersecurity risks can effectively undermine activities.

Threat awareness and detection training

Employees are the first line of attack. It is impossible to draw up an effective response plan if employees cannot identify the threats. Although the prevention of threats requires the involvement of an IT team, each employee must be able to identify threats and be sufficiently aware to prevent the company from being exposed to danger through negligence.

Senior citizens make up the majority of staff in the United States. You’re digital natives. But with this status, they forget to attack because they tend to be overconfident in the devices. At the same time, 90 percent of data breaches in the UK in 2019 were due to human error. This reinforces the need for cybersecurity education.

Information and threat detection training should not be a one-off event. New cyber threats are emerging every day. Staff should therefore be regularly updated to identify threats. Repeated training is therefore of the utmost importance.

Incident response technologies

Accenture’s report ranks different technologies based on their effectiveness in responding to incidents. They look like this from top to bottom:

Safety, Orchestration, Automation, and Response (SOAR)

SOAR is an incident response technology that reduces the threat with minimal human intervention and provides adaptive protection. This relatively new technology is often confused with the Information and Event Management System (IEMS), another technology for collecting and detecting threat information.

But SOAR and YOU are not the same. The main difference between SOAR and SIEM is that SOAR monitors threats from a broader perspective. SOAR systems combine the contribution of other safety monitoring tools (including SIEM) in a single platform.

Using a digital decision format based on machine learning, SOAR enables organizations to determine how to respond, usually to low-level threats.

SOAR systems consist of two main components.

    • The orchestration: This is the integration aspect of SOAR, where the system coordinates and analyses alert from multiple security tools.
    • : The use of different security tools makes it possible to detect different cases of threats in different solutions. SOAR provides a framework for carrying out threat neutralization tasks.

SOAR systems offer a holistic approach to cybersecurity and in particular to the collection of threat information.

Risk-based authentication

It is no longer new that password protection does not provide sufficient data security. Password-protected systems require one or more additional security levels:

    • Prevents access to data without identification.
    • Don’t complicate the sign-up procedure for users.

Risk-based authentication, also called adaptive authentication, works by identifying the risk of a connection attempt and assessing the context with real-time intelligence. Information about the device, network connection, IP address, location information, data sensitivity, etc. is evaluated. On the basis of this information on the risk of injury, a risk assessment is calculated for which access is permitted or restricted.

How ASR works:

    • If the risk is low (if the user data is known, e.g. by using the same device each time), access is granted.
    • At medium risk (if the user’s data is not known, e.g. access from another network), the system asks for additional data to identify the person.
    • If the risk is high, it blocks access.

New generation firewall

According to Gartner, Next-Generation Firewalls (NGFWs) are deep-packet inspection firewalls that go beyond port/protocol inspection and blocking application layer inspection, intrusion prevention, and information from outside the firewall.

The most advanced traditional firewalls use a packet filter model based on the state of the protocol. NGFW goes further by filtering packages based on applications and not just on the traffic context. Application knowledge properties allow you to define application-specific security rules in any context. This enables a deeper and more dynamic control model.

NGFW does everything conventional firewalls can do, and much more. The most important areas where the next generation firewall differs from the traditional firewall are next to application awareness :

    • A higher level of inspection,
    • Integrated Intrusion Prevention System (IPS),
    • Incoming Plot Inspection (IPI), and
    • The threat to intelligence.

In general, NGFWs reduce threat detection to a few seconds and can prevent malware from entering the network. NGFW can also be integrated with other security systems such as SIEM software, authentication tools, etc. This allows full transparency of the network and adaptive management.

Management of privileged access

Privileged user accounts are highly risky, as unauthorized access to these accounts can have a significant impact on the organization. These accounts have access to the most sensitive information and are the main target of cybercriminals. According to a study report published last year, 74% of data breaches were related to the abuse of privileged access.

Read Also: 28 Best Safe ROM Download Sites 2021 (Latest ROMS)

This shows that effective Privileged Access Management (PAM) can make a lot of difference to an organization’s security, especially when a zero-trust approach is used. PAM includes the secure storage of privileged user data and imposes strict requirements on access to privileged accounts. According to Microsoft, the four steps of a PAM installation are as follows:

    • Stand by. Identify preferred groups.
    • To protect. Specify the authentication requirements.
    • Carry on. Approved applications are picked up just in time.
    • The monitor. View audits, alerts, and reports.

PAM is different from Identity Access Management (IAM), which deals with the authentication of all users and accounts, not extended access. MAP is not so much a technology as an approach.


Every organization, large or small, will have to deal with cyberattacks at some point in its life. The important question is this: How well prepared is your organization for what is going to happen?

A sustainable incident response plan includes an assessment of the risks to which your organization may be exposed and the use of appropriate technologies and systems to mitigate those risks. The speed and effectiveness of your organization’s response to cyber threats determine the sustainability of your cybersecurity.

About the author: Joseph Chukvube is the founder of Digitale (https://digitage.net). He is involved in cybersecurity, e-commerce, and lifestyle issues and is the author of publications in Infosecurity Magazine, The HuffingtonPost, and others.

Editor’s note: The opinions expressed in this guest post are those of the author alone and do not necessarily reflect the views of Tripwire, Inc.

Related Tags:

incident response procedure design,incident response plan healthcare,incident response policy example,what are two incident response phases,importance of incident response plan,incident playbook template,incident response procedure example,creating an incident response plan,incident response plan template free,incident management plan,incident response plan template sans,questions to ask when creating an incident response plan,stages of incident management