A Playbook for Better Incident Response: Learnings from Major Security Trends

Major security threats have been on the rise over the past few years, from supply chain security issues to exploits in enterprise software. These all can lead to real issues for companies and consumers. Mike Mellor, VP of cyber operations, Adobe, shares learnings we can leverage for better incident response in the future.

For enterprise software specifically, a recent report by Sonatype stated that there has been a 650% year-on-year increase in cyberattacksOpens a new window aimed at open-source software suppliers to exploit potential weaknesses in their ecosystems.

The current state of enterprise software is like “the little engines that could.” They’re doing a great job at delivering software capabilities and meeting demands but under the hood, some critical components are quite old, running on code that is over 20 years old.

Regularly maintaining and securing these open-source libraries can help prevent security incidents, however, at times this code is not something that is actively monitored or maintained making them easy targets for threat actors. This lack of monitoring and awareness of old code can make it difficult when an incident does occur.

So how do we improve our processes for these potential, increasing open-source library vulnerabilities? As we’ve seen with major security incidents in the past, attackers look for “soft spots” in products, finding the weakest link and trying to exploit it into a critical security issue. For security teams, this means working quickly to scan for potential vulnerabilities and figuring out how to continually heighten defenses. Teams need to get the foundational basics right first and make action against vulnerabilities a priority across the organization. This will help scale security response and build a better playbook to enhance preparations against potential adversaries and threats.

See More: Setting Up an Isolated Recovery Environment for Incident Response

Get the Foundational Basics Right, Then Scale

When talking with industry experts about their security programs, many times companies will gravitate toward talking about the shiny and innovative programs that incorporate advanced techniques, processes and tools, but when asked about basic security topics, most haven’t refreshed or looked at those in a while. A good incident response playbook requires solid fundamentals to be successful. These include:

• Strong software inventory hygiene: When dealing with an incident, using new tools will certainly help speed up or manage processes, but before a team can use those tools, it’s essential to know the ins and outs of your software inventory, which assets are internet-facing, and what open source or other libraries are integrated with your software, so more foundational elements of your security programs are not at risk.
• Security defense teams integrated into the product teams: To have a strong security program and incident response plan, security teams can’t be set up in a silo. It’s important to have security teams tightly integrated into product teams with established relationships from the start so when issues do arise, it is easier to resolve them together. Knowing the right point of contact for a certain product helps teams address an issue quickly and efficiently – and prevents your first interaction from taking place in the middle of a potential security issue.
• Strong software quality processes to help address issues quickly: Similar to the concept of shift -left, security teams should set up different quality gates at the start of the product development process. This helps ensure that product teams have security already in mind as they develop new code, so teams can scan code issues quickly and protect code from incidents in the first place.
• Established executive and cross-functional communications channels: In coordination with product teams, it’s also extremely valuable to build trust with business executives and keep them in the loop on security updates and issues. For executives with less familiarity with security issues, this is both an asset to security teams and a helpful benefit for the executive bench to understand their company’s strengths and weaknesses. With executives having a better understanding of potential vulnerabilities, they can also support cross-team collaborations to resolve potential issues as efficiently as possible.

Once the basics are nailed down, teams can work on scaling their playbooks. Some key steps are:

• Prepare processes to handle “mega” vulnerabilities that could affect large sections of an application or infrastructure.
• Practice tabletop exercises with information gaps built-in to prepare teams for situations where there is information missing, allowing them to think through how to solve incidents with only half of the pieces.
• Think like an engineer to build tools that help streamline processes, allowing teams to programmatically look for potential issues by scanning or creating tickets.
• Anticipate multiple patches for industry-wide, open-source vulnerabilities, and for early patches to potentially introduce new issues.

See More: 5 Best Practices for Incident Response in Cloud Environments

Hardening the Soft Underbelly for Stronger Incident Response

The developments of security issues can be difficult to predict – sometimes affecting only one company while other times, causing more widespread incidents across many companies and sectors. We need to collaborate collectively to help ensure we’re getting smarter and stronger about incident response.

The security industry needs to help ensure that widely used open-source projects are adequately resourced and funded, to help improve the resilience of open-source software against threats. Through close collaboration and knowledge-sharing, security teams can help break down walls to get better, more reliable sources of truth in order to set up more resilient security programs.

The bottom line is: Learn, update, and be prepared to repeat. As the landscape evolves, attackers will get smarter, so it’s on us to evolve with them.

What are your learnings for incident response from recent security breaches? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to know!

MORE ON INCIDENT RESPONSE

• What Is Incident Response? Definition, Process, Lifecycle, and Planning Best Practices
• The Complete Guide to Incident Response
• Why Fear of Missing Incidents (FOMI) Is a Major Worry for Cybersecurity Analysts
• How Enterprises Can Secure Endpoints With Extended and Managed Detection and Response
• Setting Up an Isolated Recovery Environment for Incident Response