‘The Triple C’​ Approach to Security Incident Response

Creating an incident response (IR) capability can be a daunting task. The National Institute of Standards and Technology (NIST) alone has a dozen or so security controls related to just that topic.

The prevention of all security incidents is the ideal scenario; but the fact is that security incidents do occur and being able to respond to them should be a priority in your organization. But how can this be done? 

Auditors and assessors examine an organization’s compliance against specific controls, and issue findings typically without regard for how that organization is maturing in that area. IR can and should be viewed as a miniature maturity model with the most critical concepts addressed first, while simultaneously planning for implementation of more advanced capabilities. Viewing this as a maturity model shifts your focus from where you are now to where you’re going. NIST’s Computer Security Incident Handling Guide breaks down the IR life cycle as follows:

• Preparation 
• Detection & Analysis 
• Containment, Eradication & Recovery 
• Post-Incident Activity 

Volumes have been written about the above phases, but I will focus on one small but critical piece: Containment. 

Once you understand that a security incident is occurring, it’s important to quickly get to a state of containment to avoid further damage or data loss. Being in a contained state allows the organization a moment to breathe so that the next step can be taken.  

Using a first-aid analogy, containment means stop the bleeding. When a person is hurt, you don’t start asking about their life choices and circumstances that led to the problem. The most important thing is to stop the bleeding and get to containment. After that is achieved, other important measures can be taken. 

Security incident containment, however, doesn’t just occur on its own. Some critical functions must be established to implement that capability while the organization is building out the other aspects and capabilities of IR. Those minimal functions are Communication and Coordination. 

If an organization can communicate and coordinate during security incidents, they will be much more successful in achieving containment. I call this the “Triple C”: Communication and Coordination leads to Containment. 

Proper communication enables responders to: 

• Talk an issue out quickly and effectively; 
• Know who to talk to about what; and 
• Speak the language of IR. 

None of the above works well without coordination. Proper coordination enables responders to: 

• Know what team members and support members do what; 
• Keep communications short and focused; and 
• Know their own role and job. 

If your communication and coordination are executed well, that will lead you to containment, where: 

• The root issue is identified and stopped or isolated quickly; 
• Further issues are prevented; 
• Damage is minimized; and 
• The “bleeding” is stopped. 

Using this “Triple C” concept as a step in your IR maturity model means that you can’t simply stop once you’ve determined you can contain an incident.  

A static security incident containment program is not adequate in the long term. While implementing these minimal measures, organizations should simultaneously be working on implementing or shoring up measures for detection & analysis, eradication, and recovery.  

After all, you can’t contain a security incident if you haven’t found it first.