Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole Analysts. In each edition, we will have one guest joining me, often a fellow analyst or another interesting partner. And we will have a 15 minutes or so chat around current topics. My guest today is Christopher Schutze and our topic today is incident response management. So welcome Christopher. Thank you, Matthias. When do you want to talk about incident response management? It all starts with an incident. So what is what you recommend that an enterprise and organization a company should do to prepare for an incident? So what are the steps to take? Well,
As you already said, the most important thing is preparation. So it is not sufficient. If you have an incident that you start to think about what to do, who to contact and how to mitigate an existing threat or a tech for you. So really the first step when talking about incident response management is preparation. So preparation is key is a simple phrase we usually use there. And then the preparation should include things like thinking about what happens to your organization, how to organize internally, how to communicate internally and externally and things like that. And there's this really the thing you should do at the beginning. And therefore we have really good process for implementing and thinking about an incident response management process or creating something like a plan.
Okay. So this is also much about risk management, understanding risk.
Yeah, that's right. So usually if you want to identify the risk for your organization, you have something like in risk assessment and really get known about things which might happen to your organization. So for instance, really a cyber tech, something like a data breach, or maybe also something like an, a pandemic crisis like we currently have, but this is at least pandemic crisis are more or less business continuity management and resiliency and things like that. Really incident response management is more focusing on an active attack to your organization and therefore you need to prepare,
Okay. So if you are preparing, so what are the phases that you are preparing for? I think the more you have at hand when things happen, the better you're off.
Yeah, that's right. So usually we, as KuppingerCole think about seven phases, when talk about incident response management processes, usually everything starts with detection. So really get informed or get information about an data breach or an incident to your organization. Really, in the worst case, you get this information by an, a social media post of an, a news magazine or some private people. This is really the burst case in a good case, you detected internally, but here really, it starts your employees, your it stuff needs to be trained that they know how to proceed. If they realize that there might be an incident. So we live the next step, who is informed about an incident. So that really the incident response management process can start. And then usually the next step is the triage phase where you, if you are part of the incident response management team, after getting informed, you might have something you really start to investigate to collect more information about the incident, the attack, and then really be able to rate how critical this thing is to you and what the next steps are. And here again, this is something you can prepare. You can create something like an categorization from one to three or ABC level incident, which causes different processes at the end, maybe we'll see level attention, or chief executive office attention, or only on it level and without informing public authorities or things like that.
But that also involves having the right technologies, the right systems in place. So incident response management always laps over also to technology, of course, the processes, but also having the right systems in place to be capable of doing this triage.
Yeah, that's right. Usually you, you might have systems like an cm system to collect log files, to collect excess information or things like that. This is really a difficult phase and the better you are prepared here, the easier it is to identify really the cause of the incident at all. And if not, you really have to go on all the systems and have a look at it. What happened, what might be the cause and things like that. And this is really the preparation for the next phase. Then after getting known what it is, how critical it is for you, you for sure need the next prepared steps to contain, to prevent from further harm to your organization, maybe to Isolite network segments systems or things like that. Because especially here, it's really critical and important that you do not just turn off the systems, because if you want to do things like forensic analysts is that you want to do things like law enforcement.
Therefore you need really to keep the information which might be stored in to the memory of the system available. And if you turn systems off, those information gets lost forever. And then for sure, the next step is to remove them the incident. If it's, if it's something like a malware or ransomware, you are really, or you are highly interested to deleted from the systems, therefore you need, you need experts. If you are a smaller company or organization, maybe you need external support here. And this is something you need to prepare to because if you start in case of an incident to investigate or to Google for experts for forensic analysis, this is not the best idea. So you should have some contacts here. Some experts internal and external, and also important is depending on your organization size, you might need this 24 times seven,
But once this has happened, how do you get back to normal? What is the next step then? Once you have removed all the threats from the system.
Yeah, for sure. If you have removed the threat, the made aware of the software, whatever happened from your systems, the next step is really a restoration to enable your systems to work like they did before the incident installing backups. If data is affected, you have to, to invest. If there is infected backup or things like that, this is really important. Otherwise you might re-install the malware or the ransomware. Again, this is really the next step going back to normal business. And then, and very important thing happens in the next phase is the notification phase. And here it's really important based on the German or the European GDPR requirements, especially for data breaches. If you get informed the first time that potential customer data is breached, then you have 72 hours time to inform public authorities about that. So maybe really here, this notification phase four informing public authorities might be earlier, depending on how long it takes for the containment eradication and restoration phase. This is really essential. So usually it's a six step in the process, but depending on the things which before, and usually this was mentioned by an report from the UK, it takes up to 60, 70 days from having an incident internally like a data breach until you, you, as an organization realized that you had something.
Okay, but that is the point in time when the clock starts ticking, when you actually realize that something has happened
Exactly but important. And this is what I said at the beginning, you need to have, you have to train your employees. If the person who gets informed is maybe the person who works under reception and has no it background and gets informed, Hey, you have a data breach. This is when the clock starts to count for the 72 hours.
So I think the, the, this, this communication process in itself, so the, this, this, this ominous black suit communication, when really somebody who is capable and in the position of actually informing authorities and maybe even the data subjects being involved, that is a process that really needs training and preparation, because I think this communication can go horribly wrong.
Exactly. And communication in general is really important topic when talking about incident response management, just think about an it responsible person, which is using Twitter and is answering to thumb data breach topics with private account, and the press is realizing that, and it's quoting him and things like that. So another important thing, and part of an incident response management process and preparation is having something like in communication team with sea level attention with PR and really responsible persons.
Okay, great. So now with that, that we've come from, from detection to understanding what has happened to, to containing the issue, to remove the issue, to restore the data, to communicate would be what would be the, the wrap-up phase, but how do you, how do you conclude with such a, such an incident prepare for the next one?
Yeah. At, at the end, it's prepare for the next one, because usually you will become the victim of an attack again, or if have an incident and really a part of the incident response management process, which is very important. It's the last one, the review phase that you have a look at your process at the things that went well, and those who don't, and here you can learn and realize a lot what you can improve the next time so that you do not do mistakes.
Okay. Understood. I think this incident response management process is really something that many organizations still just not have in place. They're still lacking that. So I assume that we, as KuppingerCole are offering trainings supports anything like that here.
Yeah, for sure. Actually we have a masterclass running about incident response management. That is very interesting. It is four chapters with four subtopics where you really explain what is important, what you need to do, how to communicate and really how to do that thing. And at the MTA, the idea is to enable you setting up an incident response management plan and process in your organization. And for sure, we have a lot of research on that topic too.
Okay, great. Thank you. So I think that everybody who listened to this podcast and realized that there might be some room for improvement for their own incident response management process, please feel free to get in touch with Christopher or me or KuppingerCole in general. Thank you very much. Christopher, anything final you want to add to this?
No, I think that was a really good chat about incident response management. I would be happy if you have further questions that you contact one of us. Thank you.
Okay, great. Thank you very much, Christopher, for taking the time. Thank you very much to the audience for listening, and I'm happy to have you in a future edition of this podcast. Again. Thank you, Christopher. Bye-bye
