Security incidents occur. It's not a matter of "if," but of "when." That's why you implemented security products and procedures to optimize the incident response (IR) process.
However, many security pros who are doing an excellent job in handling incidents find effectively communicating the ongoing process with their management a much more challenging task.
In many organizations, leadership is not security savvy, and they aren't interested in the details regarding all the bits and bytes in which the security pro masters.
Luckily, there is a template that security leads can use when presenting to management. It's called the IR Reporting for Management template, providing CISOs and CIOs with a clear and intuitive tool to report both the ongoing IR process and its conclusion.
The IR Reporting for Management template enables CISOs and CIOs to communicate with the two key points that management cares about—assurance that the incident is under control and a clear understanding of implications and root cause.
Control is a key aspect of IR processes, in the sense that at any given moment, there is full transparency of what is addressed, what is known and needs to be remediated, and what further investigation is needed to unveil parts of the attack that are yet unknown.
Management doesn't think in terms of trojans, exploits, and lateral movement, but rather they think in terms of business productivity — downtime, man-hours, loss of sensitive data.
Mapping a high-level description of the attack route to damage that is caused is paramount to get the management's understanding and involvement – especially if the IR process requires additional spending.
The IR Reporting for Management template follows the SANSNIST IR framework and will help you walk your management through the following stages:
Attacker presence is detected beyond doubt. Follow the template to answer key questions:
- Was the detection made in-house or by a third-party?
- How mature is the attack (in terms of its progress along the kill chain)?
- What is the estimated risk?
- Will the following steps be taken with internal resources or is there a need to engage a service provider?
First aid to stop the immediate bleeding before any further investigation, the attack root cause, the number of entities taken offline (endpoints, servers, user accounts), current status, and onward steps.
Full cleanup of all malicious infrastructure and activities, a complete report on the attack's route and assumed objectives, overall business impact (man-hours, lost data, regulatory implications, and others per the varying context).
Recovery rate in terms of endpoints, servers, applications, cloud workloads, and data.
How did that attack happen? Was it a lack of adequate security technology in place, insecure workforce practices, or something else? And how can we mend these issues? Provide a reflection on the previous stages across the IR process timeline, searching for what to preserve and what to improve.
Naturally, there is no one-size-fits-all in a security incident. For example, there might be cases in which the identification and containment will take place almost instantly together, while in other events, the containment might take longer, requiring several presentations on its interim status. That's why this template is modular and can be easily adjustable to any variant.
Communication with management is not a nice-to-have but a critical part of the IR process itself. The definitive IR Reporting to Management template helps security team leads make their efforts and results crystal clear to their management.