Overview

Recently we engaged with a financial services customer to develop and walk through their incident response exercise. This exercise acted as a training event and helped participants understand their roles and responsibilities when managing an incident scenario. This training exercise proved to be invaluable when the customer experienced a real-world incident just two short weeks later. With the tabletop exercise fresh in their minds, incident responders put their knowledge to use by walking through incident response steps in a thoughtful, efficient and unemotional manner.

Pre-Incident Situation

Prior to this engagement, our customer had difficulties with the incident response process. Upon discovering a potential security incident, company leaders felt unprepared to effectively manage the event and minimize potential fallout.  The net effect for the customer was an incident response filled with stress, mistakes, and diversions of unplanned resources that would normally be productively employed. Nonetheless, the customer was hesitant to create an Incident Response Plan for itself. Stakeholders seemed paralyzed by the myriad “moving parts” and competing requirements present in a typical security incident. Recognizing its deficiencies in this area, the customer asked SDS to build a repeatable process and help stakeholders improve the overall security incident response process.

After sharing an initial draft Incident Response Plan, the SDS team arranged a low-intensity tabletop incident response simulation. Our goal was simple: 1) Use the draft Plan to communicate a logical and sound process for responding to actual or potential security incidents and; 2) Create a forum for participants to actively provide feedback on the draft, based on their unique business needs. The customer found the tabletop simulation enlightening, and the new awareness dramatically improved overall confidence in the incident response process. Though many unanswered questions remained, the tabletop simulation raised the bar for the customer and readied responders for the next incident.

Real-World Security Incident

A new opportunity materialized two weeks following the customer’s incident response simulation. An employee reported the theft of a company-owned laptop computer. With guidance from SDS, respondents sprang into action using the Incident Response Plan, still in draft mode. The customer mobilized its newly-formed Computer Security Incident Response Team (CSIRT) and worked efficiently through steps defined in the Incident Response Plan. The result was that, for this security incident, the customer responded with a calm efficiency, sound business decisions, and speedy resolution of the situation.

Lessons Learned

The customer walked away with valuable lessons learned from SDS’ support and guidance. Participants gained an appreciation for the value of practicing incident response procedures via the simulation process. Stakeholders found new confidence thanks to a well-defined Incident Response Plan. The customer now understands that a good Plan need not incorporate every possible contingency found in real-world incident response scenarios. Instead, the customer made significant strides by improving efficiency and reducing anxieties among participants and stakeholders. The customer’s new confidence in the overall incident response process will enable the organization to improve outcomes for all involved. With SDS’ ongoing support and guidance, this customer can think beyond reacting to these unfortunate events and begin to focus on proactive measures to minimize their occurrence.