Having an incident response plan is one thing, but whether companies actually test them – and put those results to work – is another. “Testing incident response processes within the security operations center (SOC) should yield two important results: a clear understanding of whether your plan is likely to work and a list of gaps that should be addressed. There is no point testing them if the findings will play no role in optimizing your processes,” writes Nimmy Reichenberg, Chief Strategy Officer at Siemplify in CPO Magazine. Reichenberg recommends a three-pronged approach to incident response testing:
- Paper tests, which can contain user and process error, and should only be used to test for smaller process changes
- Tabletop exercises, which need to be as detailed as possible in terms of preparation with the right people involved and realistic scenarios
- Simulated attacks, which can be either tabletop exercises or using security orchestration tools. This will “help teams automate the response to attacks, eliminating reliance on so-called tribal knowledge within the SOC,” writes Reichenberg. “Security incidents are stressful enough for security operations teams who are prepared and on the same page, let alone those who start from scratch with every incident.”
