Tech firm open sources their incident response plan to help your company

Posted on 01.12.17

Tech firm open sources their incident response plan to help your company

By John DeMarzo, Associate | Risk Advisory Services

It’s a Friday afternoon, and the last thing between you and your weekend is a quick document review. You click to open a file from your company intranet, but instead of opening MS Word, you are presented with a screen that is asking for you to pay $10,000 in Bitcoin --- a popular cryptocurrency --- to obtain the password which unlocks the file.

You contact the IT department, and they realize that somehow ransomware has infected the file and propagated across the corporate network.  How will your IT team respond?  Do they have a plan for this eventuality in place? Is anyone on this Friday afternoon accessible?

According to a June 2016 IBM study, data breaches cost companies an average of $221 per compromised record. Multiply that by the hundreds of thousands of records that could be housed on a server, and the cost of a data breach could potentially soar into the millions. Heavily regulated industries such as healthcare, life science, and financial services usually have a data breach cost far above $221 per compromised record.

Ransomware, or any other type of cyberattack, can happen to anyone. While there is no perfect solution to preventing a cyberattack --- at least not yet, anyway --- the steps your team takes before, during, and after a cyberattack may dramatically impact the cost of the attacks. In fact, the same IBM study found that incident response plans and business continuity management are the first and fourth, respectively, most effective ways to reduce the cost of a data breach.  With a robust incident response plan in place, you’ll know that even late on a Friday afternoon, your team is trained and ready to respond.

In early January 2017, PagerDuty, an incident response software developer and vendor, announced that they open-sourced their internal incident response documentation. It provides invaluable insight into how an incident response company responds to their own security events. It’s like getting lawn care advice from the superintendent of Augusta National.

Unsurprisingly, it addresses each major area of the SANS Institute’s incident response plan guidance. It covers:

  • Employee expectations about what it means to be “on call” and the types of alerts they are expected to respond to while on call
  • Severity Levels 1-5, what each means and what to do for each one
  • Roles and responsibilities
  • Etiquette
  • A 14-point process to execute when responding to a cyber attack
  • A post-mortem/lessons learned process
  • Training

PagerDuty generously released their documentation under the very permissive Apache 2.0 license. Companies can use it both internally and commercially. However, if it is redistributed, it must maintain the same license and retain the original copyright notices.

PagerDuty’s decision to open-source its incident response documentation is part of a developing trend in which technology companies are open-sourcing management tools. For example, GitLab, an open-source code management platform, recently open-sourced their Human Resources manual in an attempt to help companies streamline their Human Resources functions.

PagerDuty’s open-sourcing of its incident response documentation is a key step in the quest for organizations to be apprised of how to best respond to information security incidents, which can be achieved by creating an incident response plan.

What can you do to take advantage of this newly open-sourced content?

  1. If you don’t have an incident response plan in place, PagerDuty’s would serve as an excellent collection of best practices to help create your own plan.
  2. If you have already has a plan in place, the content can serve as a valuable resource to identify areas where your plan could be improved.

Implementing an incident response plan, however, is not as simple as copying and pasting the documentation into your own network. Cybersecurity and incident response requires buy-in from organization leadership, an investment in training, and a continuous disciplined implementation.

The PagerDuty response plan focuses on the training and technical elements of incident response, although they do wisely prefix all emails and chats with “Attorney Work Project”, which may preclude the communications from being discoverable if the incident results in litigation. We also recommend that your plan include an escalation path that triggers notification your cyber insurer and/or your cyber attorney if you believe you may have suffered a data breach.

Need help implementing a Cybersecurity plan for your business? Contact us | 804.747.0000.  We can help.

.................

Resources:

PagerDuty’s Open Source Announcement

PagerDuty’s Incident Response Plan

PagerDuty’s Github Repository

SANS Institute - Incident Handler’s Handbook

SANS Institute - An Incident Handling Process for Small and Medium Businesses