4 Keys to Improving Incident Response Time

Tod Ewasko and Joe Loomis

Aug 14 2019

The ransomware epidemic that has paralyzed municipalities, hospitals and corporations worldwide continues to strike fear into the hearts of information security professionals. In the span of just one week in July 2019: The Georgia Department of Public Safety revealed that laptop computers in state police vehicles had been taken offline by ransomware; Louisiana Gov. John Bel Edwards declared a statewide emergency after a malware attack on Louisiana school systems; and the city power company in Johannesburg, South Africa, was hit by ransomware, taking down payment systems and causing power outages.

When a ransomware attack or other cybercrime incident occurs, it is crucial to activate an Incident Response (IR) plan immediately and attempt to minimize the damage caused by the breach. In fact, an extremely nimble and rapidly deployed cybersecurity IR to a ransomware attack can even enable an organization to lock down their data prior to activation of the attackers’ encryption keys, giving organizations a pre-attack point from which they can recover their data and avoid having to give in to ransom threats.

One of the key metrics that IR professionals have embraced to help mobilize their internal planning initiatives is “Mean Time To Respond” (MTTR)—a measure of the time it takes to control, remediate and/or eradicate a threat once it has been discovered. The goal for IR teams is very simple: How can we drive down our MTTR as much as possible so we are best positioned to protect and defend the organization’s data?

There are a variety of approaches an organization can consider to tackle their MTTR. From our experience in cybersecurity and IR, here are the four key areas where we recommend that organizations begin when looking to improve incident response time:

  1. Build a Healthy Sec Ops Team Culture

    It’s important to cultivate a culture among the IR professionals that will promote teamwork in the midst of an incident. Make sure to combine the technical knowledge of information security engineers with the skills of a manager who will lead the IR team, coordinate efforts with executives and other key stakeholders within the corporate structure, and serve as the subject matter expert when reporting internally. You can download a free eBook for guidance on the social maturity of IR teams. By establishing each team member’s responsibilities and identifying the individual resources needed for incident management, every member of the team will know their role and be able to act on it quickly in the event of an incident.

  2. Create Sound IR Plans

    There is just no substitute for a fundamentally sound response plan. An effective and adaptable IR plan will help not only with surviving in our modern tech landscape but also for controlling IT security costs. Additionally, creating a plan can reduce the risk of compromising your intellectual property and customer data in the chaos of a cyber incident. For free samples of IR playbooks that can be used as plan templates, go to

  3. Conduct Simulations and Tabletop Exercises

    It’s not enough to just create the plan, it must be put to the test, too. Once the team is built and the IR plan is in place, it’s important to test your IR time in a variety of simulated conditions, such as ransomware attacks, Distributed Denial of Service, virus intrusion or desktop vulnerabilities. Take note of any deficiencies in the team’s ability to respond and resolve the incidents, set meaningful targets for each phase of incident response, and evaluate how each step can be improved. The simulation results should be reviewed by management beyond the IT organization to ensure results are aligned with acceptable risks and response capabilities for and to the enterprise.

  4. Deploy Integrated Security Products

    A fourth key to driving down MTTR in a cyber incident is to leverage emerging technology products that help to automate the crucial early stages of the IR workflow. For example, AccessData and CyberSponse have partnered to integrate AD Enterprise, a leading software product for managing internal forensic investigations and post-breach analysis, with the CyOPs™ incident management automation and orchestration platform to automate the early stages of data collection and forensics captures. If various cybersecurity tools in the enterprise detect an attack, CyberSponse’s CyOPs sends an alert that is received by AD Enterprise, which initiates a collection job within moments at a designated endpoint or affected asset. This saves precious time in the initial stages of the incident response by preserving data relating to the root cause of the breach, preservation of critical data and important time-sensitive forensics. This is the first API integration between orchestration and forensics of its kind in the cybersecurity industry and has the potential to be a true game-changing tool in the hands of IR and forensic professionals.

In spite of the headlines associated with widespread ransomware attacks and the financial impact of data breaches, a surprising number of organizations are still struggling for help with how to improve their MTTR. A 2019 survey by the Ponemon Institute found that 77% of organizations do not have a cybersecurity IR plan applied across the enterprise and, among those organizations that do have a plan in place, more than half admit they do not test their plans regularly.

CyberSponse and AccessData co-presented a free webinar to help information security professionals and corporate IT leaders get a better grasp on how to improve their IR times in the event of a ransomware attack or other cyber incident. Click here to view the webinar on demand.

Contact us today to learn more about our products and our
approach to improving how you collect, analyze and use data.
Tell Me More