Incident response

9 Tips for Improving Your Incident Response Strategy

Mahwish Khan
March 1, 2018 by
Mahwish Khan


Incident response is a complex process involving many moving parts. Follow these suggestions to improve incident response across your organization.

1. Hire the Right Staff

You can have the best technology to help investigate, detect and respond to data breaches or security incidents, but if you don't have skilled employees who are capable of using that technology, there is no point. Employee roles and responsibilities must be clearly defined to ensure proper and consistent responses to threats. It is also important that end users are effectively trained to recognize threats to the system.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Some employees should be dedicated to incident response instead of using other personnel who are either part-time staff or members of another department. They should be experts in areas such as breach management, threat intelligence, malware analysis, and forensics and incident detection, since the majority of targeted attacks are focused on the platforms used most often.

A general staff model may include a tier 1 and tier 2 analyst, tools and support analyst, and an intelligence threat analyst. Some of these positions can also be filled by contractors and service providers instead of full-time internal personnel. Every employee should receive specific training that is specific to their role. Staff roles should be rotated regularly to avoid burnout.

2. Establish Clearly Defined Team Roles & Responsibilities

If all IT department employees have been assigned the role as a potential incident responder, it can cause confusion, inconsistent prioritization and processes, and in the worst case, complacency.

Each role and responsibility should be clearly defined. There should be a difference between the management of analysis, security data, incidents and security devices. Organizations should deploy specialized and tiered staffs that are flexible enough to ramp up their incidence response teams quickly.

3. Increase End User Awareness

End users are typically the weakest point in a company's defense. They become victims of techniques such as social engineering and spearphishing that allow attackers into the network. Even though users are aware that they shouldn't give their password to someone who says that they are calling from the help desk, it's easy to forget protocol during a busy day.

It is the responsibility of the security staff to find creative ways to make sure that these guidelines become common place. One way of doing this is to allow an actual internal phishing attack and publicize the results to staff letting them know how easy or difficult it was to access the network. You can encourage compliance and attention by creating friendly competition among employees from different departments to see who is most capable of seeing through an attack.

4. Learn From Past Breaches & Incidents

Over time, an organization's security posture is improved with effective incidence response. This requires complete and thorough recording of the incident response when the investigation is taking place and once it has been completed. The information should be used to improve the company's systems and processes for investigating, detecting and reducing the damage from future incidents. The information should address metrics such as incident resolution and detection time. It should also indicate the overall level of efficiency of existing countermeasures.

This allows the organization to determine whether the maximum amount of money is being allocated towards security issues. It should also be noted that the employees who are in charge of a security operations center (SOC) or a critical incident response center (CIRC) are given the authority to respond to and investigate incidents as they feel necessary.

To ensure continuous improvement, response processes should be easily measurable and replicated through key performance indicators (KPIs) that are relevant to the organization. An incident management system can assist in identifying the root cause of the problem and set realistic goals to learn from past mistakes and measure whether or not the response is improving.

Organizations that are more mature document use cases that describe threat scenarios and actual response situations that are specific to their business. This helps make sure the rest of the team is able to learn from past incidents and enhance their response.

5. Deploy the Right Tools

A trackable, centralized and coordinated intelligence-driven procedure backed by the right technology and well-trained staff enables continuous improvement and reduces the risk of further security incidents.

  • Controls: The capacity to get the right information from the right controls, both signature-less and signature-based.
  • Context: The joining of data controls with a business, risk and threat context in order to determine the priority of the incident.
  • Visibility: The gathering of context and controls and the capacity to handle occurrences within a single pane of glass.
  • Expertise: The skills, training and expertise of the team that is responsible for overseeing the solution set and defending the organization.

6. Upgrade Your Analysis & Monitoring Systems

The information systems that are in use today are extremely sophisticated. However, so are the attacks that are being launched against them. The proper investigation, occurrence detection and analysis technology are critical to increasing the skills of your security staff, learning from previous attacks and utilizing the proper processes so that you can respond more effectively.

7. Improve Incident Response Tracking

Too many businesses are dependent upon a manual or a decentralized system for tracking security occurrences. Typically this consists of no more than spreadsheets that have been updated by individual analysts. Due to the fact there are some analysts who are more diligent or skilled than others when it comes to these updates, it can be very hard to effectively track how the occurrences are being handled, provide governance and determine whether the procedure is improving over time.

A more efficient system should be easily customizable to drive the company's incident response procedure from alert collection to incident escalation and creation, through triage remediation, analysis and containment. A tool of this kind should work together with other security platforms so that tickets are automatically created based on the alerts they receive.

It should also enable a company to apply custom severity classifications to incidents and to enhance tickets with inside information such as criticality ratings and asset information; this should also include external data such as blacklist and domain information. The device should also allow the business to amend the priority ratings established on new information about vulnerabilities and risks.

8. Employ Centralized Monitoring

In order to improve the detection and more effectively investigate alerts and activities, security analysts require immediate and comprehensive visibility into crucial indicators that have been compromised. Apart from network degree telemetry, analysts need to have access to events and logs from basic infrastructure, security systems and applications. Finally, when handling malware, the capacity to be able to immediately see what is taking place on particular hosts also tends to prove critical. These tools should be able to do things such as detect system modification, kernel hooking and code injection, as well as other techniques that are common in security attacks. Some of the prerequisites for providing this visibility include:

  • An integrated platform for response, management, investigation and detection
  • Extensive network packet-level monitoring on all key internal network segments and all internet egress points
  • Comprehensive log/event collection that works closely with network level visibility
  • File monitoring for anomaly detection and behavior analysis to highlight endpoint anomalies and malware instead of relying on signature-based defence mechanisms that are typically redundant
  • Continuous feeds of indicators of compromise and threat intelligence to speed up the investigation and the detection of threats

9. Improve Forensic Analysis

You can't fight what you are unable to understand and see. Gaining full understanding of an attack needs deep-dive analysis with the use of host/log/network visibility, as well as several forms of analytics in the business and technical context, and threat intelligence.

Forensic tools for dynamic and static analysis can address several of these requirements. These tools must be easy to deploy throughout the IT infrastructure. Tools will also need to connect quickly to confinement points on demand. They should be able to provide centralized access to the root cause of the incident, while also limiting the memory and system burden. Tools should also provide efficient and rapid evaluation of the security occurrence and quickly identify any processes and files that look suspicious. This can be done by analyzing keys of interest, registry of hives, event logs of interest, running processes, open network connections and memory usage.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.


Security breaches cause extensive damage to the bottom line and reputation of an organization. Board members and CEOs expect more than random acts of heroism when an incident occurs. They demand measurable improvements that are consistent in response to security over time. They also insist on fine tuning employees, procedures and technology so that damage is limited when a security attack happens. The aim of any organization should be to beat security threats by transforming security staff into strategic partners that are focused on the long-term protection of the organization as opposed to reactive first responders.


Mahwish Khan
Mahwish Khan

Mahwish Khan is a Pharm-D graduate from The University of Faisalabad. She is experienced in technical writing. She currently works for a university as a technical trainer and documentation specialist. In the past, she has taught university writing courses and worked in two university writing centers, both as a consultant and administrator.