E-Handbook: Incident response playbook in flux as services, tools arrive Article 2 of 3

peshkova - Fotolia


How to integrate an incident response service provider

Adding a third-party incident response service to your cybersecurity program can bulk up enterprise defenses, but the provider must be integrated carefully to reap the benefits.

As organizations try to defend themselves against ever increasing cybersecurity attacks and cope with a shortage of cybersecurity professionals, they are considering hiring managed security service providers. MSSPs offer many types of services, including incident response as a service. IRaaS offerings vary across MSSPs; in general, incident response service providers help an organization prepare for, manage and recover from cybersecurity attacks.

Understanding the main advantages and risks of hiring an incident response service provider, and what you need to do to get the most value from an IRaaS, is critical knowledge for determining how to keep your company systems and data secure.

IRaaS advantages

When properly implemented and carefully managed, IRaaS can benefit your cybersecurity program in several important ways. First of all, a good incident response service provider brings hard-won experience and difficult-to-find specialized expertise, like digital forensic analysis. A good IR service provider has experience responding to many different types of cybersecurity incidents at a variety of organizations -- in other words, its staff is battle tested.

IRaaS will also often have detailed threat intelligence -- such as indicators of compromise -- gathered from many organizations. Such intelligence, properly analyzed and used, can enable your organization to more quickly stop cybersecurity incidents and reduce their impact.

An incident response service provider will be able to react to a cybersecurity incident 24/7 year-round, which is important for organizations that -- due to financial constraints or inability to find qualified cybersecurity employees -- are not able to provide such coverage on their own.

IRaaS risks

An organization can fall into the tempting-but-dangerous trap of thinking that having IRaaS means that the responsibility for cybersecurity incident response has been fully outsourced to a third party. Ultimately, the final responsibility for cybersecurity incident response will always belong to your organization.

Many MSSPs want to use the same standardized processes and tools for all clients, including for IRaaS. If an organization doesn't provide enough relevant information and synchronize their cybersecurity processes with an incident response service provider, the IR service provider may have an incorrect or incomplete response to a cybersecurity incident, wasting valuable time and resources.

MSSPs can only work with the information you give them.

An organization needs to have a fairly mature cybersecurity program to work effectively with an incident response service provider. Organizations lacking basic internal cybersecurity incident response processes (such as a formal, documented, security incident response plan; escalation paths; and formal recovery methods) will likely not fully benefit from an IRaaS.

To get the most value from an IRaaS, your organization will likely have to share a significant amount of sensitive information about its information systems and cybersecurity processes with the MSSP. An organization could be harmed if an MSSP does not properly protect such sensitive data.

Getting the most value

It's critical that an organization synchronize and integrate its cybersecurity incident response processes with an IR service provider. An organization should refine its IR processes -- like its playbook and use cases -- to reflect that it will be responding to incidents with a partner. Escalation paths and contact points need to be clear and up to date. Be sure to have a process whereby your cybersecurity team can quickly respond to information from the incident response service provider and give feedback on the quality and relevance of the information.

Many IR service providers operate under a shared-responsibility model. It's very important that incident response duties be clearly defined and agreed to when an organization is first integrating with an IR service provider. You don't want to be figuring out who is responsible for what in the middle of a problem. Do joint incident response simulations to make sure assigned responsibilities are appropriate and realistic.

MSSPs can only work with the information you give them. The more they understand about your organization's information systems, cybersecurity controls and incident response processes, the more likely they are to be able to provide an effective and prompt response to a cybersecurity incident. At a minimum, an organization should be prepared to provide the following information to an IR service provider:

  • list of critical information systems
  • list of significant cybersecurity controls
  • network diagrams
  • security incident response plan

A cybersecurity team should have regular check-ins with its IR service provider; such meetings should include ensuring that the MSSP has up-to-date versions of the above information.

It's important that your organization's sensitive information be protected. So, as part of your IRaaS selection process, be sure to assess how your data will be stored and safeguarded and look for formal data-handling and usage policies that clearly define how the provider protects sensitive client data.

With careful planning and cooperation, a third-party IR service can significantly help your organization respond to cybersecurity incidents. Integration is key; you'll get the most value from an incident response service provider by considering them to be doing security with you rather than doing security for you.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing