CIS Control 19: Incident Response and Management

A big part of a mature information security program is the Incidence Response (IR) program. The organization will grow into this practice as the size of the organization increases. However, the need for such a team remains constant. Many security incidents happen because a company is unaware of the asset or risk to the asset. The first and arguably most important step in vulnerability management is discovering assets, as risk can’t be assessed, if the asset is unknown. Following all the preceding 18 CIS Controls will help bring awareness to the organization and the prepare the security team for the worst case scenario.

CIS Control 19 States:

“Protect the organization’s information, as well as its' reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

Why Is This CIS Control Critical?

Cyber incidents are now just part of our way of life. Even large, well-funded, and technically sophisticated enterprises struggle to keep up with the frequency and complexity of attacks. The question of a successful cyber-attack against an enterprise is not “if” but “when.”

When an incident occurs, it is too late to develop the right procedures, reporting, data collection, management responsibility, legal protocols, and communications strategy that will allow the enterprise to successfully understand, manage, and recover. Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow good procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion. Thus, the attacker may have a far greater impact, causing more damage, infecting more systems, and potentially exfiltrating more sensitive data than would otherwise be possible were an effective incident response plan in place.”

Tenable Security Center Continuous View provides a passive sensor that can help with enumeration of systems on the network. This passive sensor monitors network flows and looks for vulnerability based on clear text information or other traffic patterns. This detection method may assist organizations during incident response (IR), as the passive data collected is another source of information. Tenable Security Center and this collected data is valuable to ensuring the IR team has the information they need, and a history of system vulnerabilities and configurations, especially when conducting post incident review and process improvements. For example, if the organization has a 90 day patch cycle, a major incident occurs, a finding may be the affected system was vulnerable for over 90 days. The organization should now consider changing the patching policy to a 45 day cycle. While Tenable Security Center is not an IR solution, much of the information collected and existing history can assist the organization should such an event occur.