Incident Management: Definition, Process, Tools & Best Practices

What is incident management?

Incident management in cybersecurity is a complex of activities aimed at handling cyber incidents (events) that take place in a given digital ecosystem. 

Because no organization can defend against all the threats, it should be an inalienable part of any cybersecurity policy.

Successful incident management has three major components:

• Process.
• Team.
• Tools.

Incident management process

Types of incident management processes:

• Internal. The organization’s IT team handles the cyber event.
• External. The service providers/ software developers are in charge of incident management.
  • Site Reliability Engineer (SRE) 
  • DevOps  

There are five basic steps in the IT incident management process:

1. Planning

• Create a database of the known cybersecurity threats and associated risks
• Define the assessment criteria for each risk/threat/incident
• Look for (and acquire) the tools that stop the event and minimize the damage
• Write down the incident scenarios + response guidelines
• Create a playbook for the incidents that aren’t on your database
• Appoint the response team and set the responsibilities for each member
• Determine who, how & when communicates with employees, clients, partners, authorities & public 
• Identify the ways to minimize the risks
• Set the timeframes for the recovery

The benefits of an incident management plan:

• Save time and money as you have predetermined roles and activities
• Distribute your resources better
• Increase efficiency of incident management
• Communicate the event clearly
• Increase the cybersecurity resilience

2. Cyber incident detection & identification.
3. Incident response & record.
4. Recovery from the incident.
5. Cyber incident analysis.

Incident Response Team

The composition of such a team will heavily depend on multiple factors, e.g. the company size, its budget, and the presence/absence of certain roles.

An incident response team should be able to carry out the following tasks:

1. Team management and response orchestration

2. Contacting authorities and law enforcement

3. Incident analysis and identification

4. Incident termination and recovery

5. Communication management:

• inside organization
• with external parties (clients/users, partners, media)

6. Handling the legal consequences of the incident

7. Managing short-term and long-term business consequences

In some cases, one person can carry out multiple tasks (e.g., company CEO can contact law enforcement and run inside and outside communications). In other cases, multiple experts will be in charge of a single task (e.g., CISO and Security Analyst will perform incident analyses).

Incident Management Tools

1. Alert tools:
   1. Service desks enable customers and employees to report cyber events (as well as their suspicions and concerns) to the response team.
   2. Intrusion Detection systems monitor and report incidents automatically.
2. Configuration management databases (CMBDs) are tools that store information about your IT systems.
3. Tools for internal and external communications are necessary to manage the incident response as well as to keep third parties informed on the event.
4. Backup tools help you roll back your system and recover data.

Automated incident response software like SpinOne is a separate category that serves a number of functions that are usually the province of cybersecurity experts. These tools alert, store data about the incident, resolve it and recover automatically.

Best practices of security incident management

1. Appoint roles, create playbooks for each, and set clear metrics to avoid misunderstanding.
2. Document your incident management process and make sure it complies with other policies in place.
3. Don’t rely on policies alone. Do the training and penetration tests.
4. Never overlook post-incident analysis.
5. Use cybersecurity automation when and where possible.