Incident Response Planning in a Nutshell: Leveraging Lessons Learned
“Some of the best lessons we ever learn are learned from past mistakes. The error of the past is the wisdom and success of the future.” – Dale Turner, American singer-songwriter and record producer
As final part of our 5-part series about Incident Response Planning (IRP), this article dives deeper into how the often-overlooked lessons learned exercise can help organizations improve their incident response planning capabilities going forward.
Find more detailed information about IRP in the articles below:
While often overlooked, lessons learned sessions are crucial to improving an organization’s security posture and readiness to face security incidents in the future. They help evaluate incident response performance, identify challenges and improve incident response capabilities going forward. For lessons learned sessions to be effective, they need to contain at minimum 4 different functions, follow a strict process, provide answers to specific questions about the incident and establish clearly-defined action items for follow up and continuous improvement.
According to NIST Special Publication 800-61, Rev. 2, “one of the most important parts of incident response is also the most often omitted: learning and improving”. In fact, only 58% of organizations regularly review and update their incident response processes – a number far too low to guarantee effective safeguards against security incidents (The SANS Institute, 2017).
This article covers:
The Project Management Institute (PMI) defined as “the learning gained from the process of performing the project”. In the context of security incidents, they usually take place after a security incident has occurred and has been mitigated.
The SANS Institute identified Lessons Learned as one of the 6 critical stages of the Incident Response Process (after Preparation, Identification, Containment, Eradication and Recovery).
Lessons learned sessions are recommended to evaluate your mistakes, take stock of what happened during the incident and assess how your team has dealt with mitigating the impact of the incident. The purpose of a lessons learned session to share and use the knowledge gathered from a security incident to:
Lessons learned sessions offer a variety of benefits for the incident response team, the organization as well as existing and future incidents. A properly executed lessons learned exercise can help organizations:
►►►Tip: Make sure to briefly go over these benefits at the beginning of each lessons learned session. This will help remind session attendees why their feedback and active participation is important.
To make sure that lessons learned sessions are as effective as possible, they should follow a predefined, standardized 5-step process. Once all findings are collected, they should be documented and shared with all relevant parties. Then, findings should be analyzed and stored in a repository that is accessible to all relevant parties. This way, findings can be retrieved to be used for future potential incidents.
The lessons learned session should take place as soon as possible following a security incident, preferably within a couple of days. The sooner the session is organized, the fresher the incident will be in the memory of those who have dealt with the incident.
In certain cases, it may also make sense to begin the lessons learned exercise prior to the end of the incident, depending on the complexity and criticality of the incidents. For example, organizations experiencing a security incident that takes a couple of months to mitigate should not wait until the incident is fully mitigated. Scheduling a lessons learned session while the incident is still ongoing may reveal relevant insights that could turn out to be useful for mitigation activities.
►►►Tip: If your organization is experiencing a security incident, ask yourself when it would make most sense to have a lessons learned session, not whether you have the time (chances are, you’ll never have the time…).
The participants of a lessons learned session will vary depending on the size and structure of the organization, but should at least include the following functions:
►►►Tip: Depending on how your organization is structured, you may want to include additional functions such as Legal, HR, Communications/PR etc. Before organizing a lessons learned session, make sure to look at the key roles involved in dealing with the incident and choose your session members accordingly.
Although lessons learned sessions vary depending on the nature, scope and impact of the security incident, they should follow a similar structure and provide answers to at least these questions:
Don’t be surprised if your lessons learned session unveils a myriad of issues and gaps about your current incident response handling practice. That’s a good thing! At the end of every lessons learned session, the person in charge of documenting the session should summarize which identified problem areas were revealed, what the proposed action items/solutions are to fix said problem areas, who will be responsible to take care of these action items, and when these solutions are expected to be implemented.
Action items examples:
►►►Tip: For lessons learned exercises to be effective, make sure that concrete action items are established, roles and responsibilities are assigned and specific dates are defined.
Related Blog: 5 Mistakes You Need to Avoid After a Data Breach
This concludes our 5-part blog series about Incident Response Planning. Be sure to subscribe to our blog to stay tuned for more content about cybersecurity, incident response and securing your organization.