Blog

#ISC2CONGRESS: Post-Incident Reviews As Prevention

Nov 18, 2020

FaranakFirozan If there is one thing adversity can teach you, it’s how to avoid bad situations in the future. Or so you would think. But when it comes to incident response, most organizations fail to conduct a post-incident review (PIR) or when they do, it tends to be ineffective, according to Faranak Firozan, who works in Incident Response for NVIDIA.

As part of the (ISC)2 Security Congress 2020 , Faranak delivered a presentation on PIR components and goals. She stressed the importance of PIRs in determining the causes of a security incident, its effects and the lessons an organization can learn to strengthen its security posture.

The PIR fulfills three primary objectives – identification, improvement and future protection. Lessons learned about what vulnerability enabled an incident, who and what was affected and the response to the incident are extremely valuable. They provide clues for organizations to strengthen their security postures.

Firozan said a successful review requires certain elements, such as management buy-in, clear end goals, and participation by all relevant stakeholders – not just the teams responsible for security and incident response. Without these elements, organizations may never understand what causes incidents or what tools, policies and practices to put in place to prevent them.

Metrics

A critical piece to any PIR, Firozan said, is the ability to gather metrics, which can be reviewed and tracked to make improvements. Organizations should implement a platform to track metrics and communicate those metrics in understandable terms to company management in order to allocate necessary resources.

Metrics, she said, reveal which departments and network components are struggling with security issues so that proper controls can be implemented. For instance, data may reveal that most of the incidents over a period of months are traceable to a group of network devices. Or that a specific department, be it accounting, finance, HR or DevOps, is the root of certain types of incidents. Without this type of knowledge, it’s difficult, if not outright impossible, to make improvements.

Firozan said not all incidents require a PIR. A determination should be made based on factors such as incident complexity, novelty and severity, and what value can be expected from the review. However, if the PIR team decides to go forward with the review, it’s better to do it sooner rather than later while details are fresh in all stakeholders’ minds, which makes it easier to collect the information needed for a meaningful determination.