Prepare Yourself with Incident Response Tabletop Sessions

Posted on by Matthew Pascucci

It's inevitable: Sooner or later, you will experience a security breach. Whether the news makes the front pages of a national media publication or kept within the walls of your company doesn't matter—you'll still feel the repercussions.

So how can you prepare? Conduct an incident response (IR) tabletop exercise with all the groups responsible for their part of the incident response plan. Many organizations already have incident response plans, but it's one thing to have a written plan on how you'd react, and another to actually execute it. Here are a few areas to focus on when you get started:

Review Your Current IR Plan

You need to have an incident response plan before you can review or test one, so establishing a written plan of defense is step number one. It may be useful to have parts of your incident response plan sent to other groups for review. Disseminating the plan to all associated business units helps with team building, and also lets other groups offer a different perspective. It’s a good way to uncover the missing elements that should be added. It also gets participants thinking about collaboration and cooperation, two themes at the heart of the actual tabletop sessions.

Bring in Management Early

With your incident response plan in hand, you can start tabletop sessions. It may be beneficial to split the group into management and technical sessions because one group might be less inclined to speak with upper level management types. It also helps guide the tabletop towards a particular goal if like-minded people are in the room. The management session should focus on the reaction to a breach and what actions are expected after the breach. Examples include who gives the go-ahead to respond to social media, to make the calls to payment providers if credit cards were involved, to notify stockholders, and other tasks. These details need to be laid out before a breach occurs; you don't want to be wandering aimlessly in the heat of the battle wondering who does what. If each member of management is fully aware of his or her responsibility during a breach, then you can hit the ground running as soon as it occurs.

Review the Incident with Technical Engineers

You run the exercise with engineers for the same reasons as you do for management, but for a different role. Decide upon a particular event for the tabletop, such as "your customer list was found on the Internet," and run through the plan. The technical team should review the steps they would take to determine where the breach occurred, who they'd bring in to assist, who would make the call to law enforcement. The team needs to know who would be responsible for pulling logs, starting forensics and performing other tasks associated with the investigation. This needs to be orchestrated quickly and efficiently during a potential loss of data. At the end of the exercise, each engineer and group in the organization should have a better understanding of their roles  during a breach.

Hire a Third Party (If Possible)

There's always the possibility of bias during the tabletops, so having a third party come in to run the sessions could be beneficial. These third party assessors can work with engineers in the company beforehand to determine what systems they're currently running and to understand more about their business in general. They can then tailor specific tabletop incidents for the company to work through. Consultants normally have firsthand experience working data breaches, which adds to the authenticity of the tabletop. It also helps to have a liaison between the groups should disagreements arise between the internal parties. The ultimate goal of an incident response tabletop exercise is to prepare your company for a data breach. Having this legwork done ahead of time can assist with limiting the damage and containing the incident. Being prepared is key to making sure a bad situation doesn't become even worse.


data security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs