3. Breach-to-Response Acceleration

Response Time--Combines Technology, Threat Knowledge, & Skills

Community Member kudos icon + Community member

Agencies must plan for success. Increasing response time is a combination of technology, threat knowledge, and skill sets of cybersecurity practitioners. Lag time exists because organizations unable to effectively integrate practitioner skills, threat knowledge, and technology. Although agencies are in possession of effective tools (e.g., Einstein and CDM) that collect indicators and signatures of malicious traffic crisscrossing the .gov domain, existing cybersecurity professionals lack the requisite skills to understand the cyber threat environment and employ the tools successful to ensure agency cyber resiliency. Numerous published research studies have concluded the growing problem is attributable to insufficient training, threat understanding, and a lack fundamental knowledge essential to effectively use the these tools. Reaction time can only be reduced if cybersecurity professionals their skill sets are honed by training and exercising in a range environment where skill-based training and performance-based assessment can provide them with the requisite skills to employ the technology against an evolving threat to decrease response times. This is enhanced by organizational incident response preparedness. Agencies should consider the following (ISACA, 2012):

• Tools and techniques must be ready, and team members must be trained, before a response is made to the computer incident. Also, agency policies, procedures and guidelines for response need to be in place.

• Top management from all business units and external parties (e.g., managed service providers) should be required to participate in incident response exercises.

• Properly identify the incident. Is the event simply an unusual activity, or can it be identified as suspicious? If so, what are the surrounding activities?

• Contain the incident and its effects.

• Remove the issue as soon as it is realistically possible.

• Return the infected system to operational use as soon as feasible.

• Follow up with responders for improvements to the process.

ISACA. (2012). Incident Management and Response. Rolling Meadows, IL: ISACA

Add tags and help us assess and classify your idea. Pick from the list below or type in a new tag.


2 votes
Public Input
Idea No. 81