Poulin said, "Perspective is everything. My personal philosophy is borrowed from a wood-working expression, 'measure twice cut once'. You need to have something to measure the information."
All they have to do to weed through the overgrowth is determine where the problem is for them--at the perimeter, user role management, data access? The problem for many who are feeling so overwhelmed and understaffed is that looming question, Where do I begin?
When Gant Redmon, vice president business development and general counsel at Resilient, an IBM company, and Paul Sheedy, assistant vice president, enterprise network security services operations at the Federal Reserve Boston, asked their audience what they wanted to know about, "Building Your Incident Response Plan" the audience responded with "Where do I begin?"
When it comes to incident response plans CISOs or CPOs are longing to know more than the blanket acknowledgement that they should have one.
Redmon said, "I often get asked, what does incident response technology look like and how do you turn run books into a collaborative exercise?"
In the early days of incident response plans, most people used spreadsheets or emails, but because the amount of data enterprises collect has grown exponentially, there are hundreds of things that an IR team needs to consider in developing a plan.
"The technology allows you to have a lot of diverse plans, like if this happens, then do that," Redmon said. More importantly, they need to be able to document that they understood the difference between incidents and events and that they are logging all events.
Collecting all of that information in one place is easier and more efficient, and Redmon said, "They have to have a place where people are communicating within the system."
Communication and monitoring at two important strategies that allow for more rapid detection, and "Detection is king," said Sheedy.
"You have to monitor and detect for anomalies," and part of monitoring and detecting demands collecting intelligence. By collecting intelligence, security teams will better know precisely how to build an effective IR plan specific to their business. Intelligence begins with looking at transactions.
When they monitor their transactions, they learn what normal is for their business. Anything outside of normal is an anomaly. "Begin with normal," said Sheedy. "What is the average transaction size? What is the average length of a transaction? Frequency?"
Establishing a baseline normal will help them detect more quickly those behaviors that are not normal, but people can quickly become overwhelmed and complacent, which is why Redmon said, "It's important to do simulations all the time."
Running table top exercises will also reveal gaps in the plan, revealing both what they know and what they don't know. "Stay calm. Never jump to conclusions," said Redmon.
Sign up for Computerworld eNewsletters.