IT Security breaches are in the news seemingly every day, at companies both large and small. (For evidence, look no further than our own monthly security breach roundups, such as this one and this one.)
No company is immune from a potential security breach, so no company should be without a sound 
breach response plan.
“It’s a little like a fire evacuation plan,” says Thorsten Behrens, lead IT security architect for Carousel Industries. “Don’t figure it out when the building’s on fire; do it beforehand.”
We talked to Behrens to learn what a good security breach response plan should look like.
Security Breach Response: Who you gonna call?
First you need a list of people who should be contacted and alerted to the breach, from management to technical staff. On the management side, you’ll want officials from the business unit that suffered the breach, along with a representative from legal staff, who can advise which entities need to be informed of the breach from a legal perspective and whether the breach represents any compliance issues. On the technical front, you’ll need to be in touch with whoever is responsible for the systems and applications that got breached, the security team and potentially the network staff.
“You need to know how to reach these people at night or on weekends,” Behrens says. “And you need a second tier list in case someone is on vacation or something of that nature.”
Security Breach Response: Shut down and preserve
Next you’ll need to shut down whatever systems were breached and preserve the evidence for later review. If it’s a virtual environment that means just taking a snapshot of it. But for a physical server, it may mean taking out the disk to preserve it, then putting in a fresh one and restoring the server from the last known good backup.
“That means you have to know when you were breached,” Behrens says, which gets into log analysis and correlation – the kinds of things that would alert you to a breach in the first place.
Security Breach Response: Practice makes perfect
Ideally, you should test your breach response plan at least once. “Do a mock security breach and have everybody pull out all the stops to get back to a known good state in the least amount of time while at the same time preserving whatever when wrong with the system that got compromised,” Behrens says.
Without a breach response plan in place, people tend to run around in a panic. As a result, they miss things and remain vulnerable, or even run into legal liability if they fail to meet state requirements to disclose the breach within a certain time period.
Contact Carousel to learn how to create an effective IT breach response plan and ensure you have the tools in place to identify a breach when it happens.
