How to Develop an Incident Response Plan for Your SaaS Business

Do You SecOps?

Quickly assess the security & automation of your infrastructure

Start Here

According to a 2018 IBM study on cybersecurity resilience, 77 percent of firms surveyed lack proper incident response plans, while 69 percent report insufficient funding for cyber resiliency. Where does your organization stand on this critical issue?

It’s best to accept that it’s not a matter of if your SaaS organization will encounter a security incident at some point in its lifetime but rather when. Operating within today’s security landscape, the time to “when” is shrinking daily. Therefore, it’s critical to develop a strong Incident Response Plan (IRP) before a threat hits, so you’re in a position to respond quickly and effectively.

In this post, we’ll walk you through the basic steps of putting an IRP in place so you can stay in control when an incident inevitably occurs and thereby reduce disruption, damage, recovery time, and costs.

1. Identify Your Risk Profile

Despite sensationalized headlines, SaaS companies should concern themselves less with zero day threats. Far more likely are the low-level attacks that exploit common vulnerabilities and are easier to carry out. Attackers look for the greatest return with the least effort, so one of the biggest threats to your organization could be a simple ransomware-as-a-service attack, which might result in a big payout for the bad guys while requiring very little technical expertise.

Starting out, you’ll want to complete a cybersecurity risk assessment, which consists of a few key steps:

  1. Establish a baseline of your “normal” operating state. This will include an evaluation of any of your systems, applications, and services as well as scripts that may run in your environment.
  2. Identify the threat landscape that exists within your organization. Consider probable threats that are often included in risk assessments, such as insider threats (malicious or intentional), data leaks with unintentional exposure of information, or data loss. Depending on your systems, stakeholders, and environments, you will probably identify additional threats, and you should incorporate these into your assessment.
  3. Determine inherent business risk and impact. Rate the impact of potential threats on your landscape without considering the control environment you have in place. Approach the assessment this way to prevent factoring in controls that could mitigate the risk, so you can clearly understand the full potential of threat events.
  4. Factor in your control environment. Typically, you need to examine several categories of information to adequately assess your control environment. Ultimately, identify threat prevention, mitigation, detection, or compensating controls and their relationship to identified threats. A few examples include organizational risk management controls, user provisioning controls, and administration controls.
  5. Evaluate your preparedness in terms of comparable businesses. When building your IRP, consider the industry sectors in which you and your customers operate and the types of data that you store, as well as your size, infrastructure, and assets. These factors will allow you to compare yourself to similar businesses, prepare for threats they have dealt with in the past, and build an IRP that is realistic for your organization.

2. Know Your Compliance Responsibilities

Before a security incident occurs, it’s important to take regulatory frameworks into account and fully understand your reporting responsibilities. For example, the General Data Protection Regulation (GDPR) went into effect on May 25, 2018 and is applicable to a great number of SaaS companies. The new regulation requires you to report any breaches to the data subject or the supervisory authority within 72 hours, so you will need to keep this top of mind when you create your IRP.

Other frameworks that you are beholden to as a SaaS company may include SOC 2 or ISO/IEC 27001, as well as a variety of industry-specific regulations, which we discuss in more depth in this article. Each compliance framework has its own set of reporting requirements that may need to come into play as you draft your organization’s unique IRP.

3. Create a Communication Plan

Communicating the details of an incident might be one of the most difficult parts of responding to an attack, but for that very reason, it is essential that your SaaS company have a communication plan in place. The goal should be to communicate clearly with all stakeholders (internal and external) in order to maintain trust when a security incident takes place.

Communication with the wider security and IT team will be the first step for whoever catches the alert. Once there is a confirmed incident, the security team must then determine whether it merits communication to the wider organization.

Next, you need to determine whether it makes sense to alert customers, partners, board members, VCs, and/or the public. In the case of an incident that requires broad communication, a public relations firm can be incredibly helpful in setting out a strategy for external disclosure, developing an overall communication plan, and drafting notification plans in the event that your company will not be able to operate normally for some period of time.

Your communication plan also needs to outline the cases in which your company would alert law enforcement, taking into account the effect on your organization of getting law enforcement involved while balancing the assistance you might gain from working with a law enforcement cyber partner.

Documentation on what happened before, during, and after an incident is crucial in prosecuting an attacker whenever an incident is deemed criminal, so it must be built into your plan. Even if the authorities do not need to be involved, documentation can help your security team communicate valuable lessons learned to the rest of the organization as part of an incident post mortem before the next threat strikes. (Note: The continuous security monitoring of a comprehensive platform like Threat Stack provides audit trails that can simplify the documentation process.)

4. Identify and Train Your Stakeholders

Bring together both internal and external stakeholders as you develop your IRP and strategy. To determine the stakeholders that make the most sense for your plan, evaluate several example scenarios and figure out who you need in play to fully detect, respond to, and contain an incident.

Once you have identified all your stakeholders, document the precise roles and responsibilities they would have in responding to an incident. Here are just a few examples of stakeholder coverage:

  • Technical, Security, Operations: These teams are responsible for working together to identify, track, and contain the incident.
  • Business Leadership: Include the legal, marketing, and communication teams to participate in the incident response decision process.
  • Customer Impacting: Customer and partner teams will decide how and when to notify potentially impacted parties.

After your team is assembled, incorporate a training plan so everyone is operating off the same sheet of music. This training should be scheduled on a regular basis and should ensure that new members to the team as well as existing stakeholder groups are folded in and brought up to speed. The content should be clear, ensuring that all stakeholders understand processes and their roles, and identifying any gaps as they relate to detection, response, and incident containment.

In addition, tabletop exercises can be valuable when:

  • Your organization acquires a new environment
  • Your environments change significantly
  • New policies are rolled out that change escalation paths or rules of engagement
  • Key players change or their roles and responsibilities shift

5. Automate and Optimize

Your IRP is only as strong as your security processes, so it’s important to optimize them and incorporate automation whenever possible. Automated alert handling, for example, can prioritize alerts for your team (labeling incidents as High-, Medium-, or Low-severity) so you can focus on the highest-risk threats from the outset. This prioritization also limits false positives, minimizing alert fatigue and ensuring that the high-priority alerts that you do receive don’t go unnoticed.

To ensure that your organization can act on alerts quickly and efficiently, it’s necessary to choose the right tools for incident management and reporting and to centralize your workflows. A comprehensive intrusion detection platform like Threat Stack can help integrate your alerts with incident management and chatops tools such as PagerDuty and Slack, ensuring that stakeholders receive context-rich alerts directly in the tools and workflows they’re already using. This type of integration ensures that all the data related to a security incident lives in one place, speeding up your time to know and time to respond.

Once you begin to streamline and automate security processes, carrying out a response audit will enable you to review the way alerts are triaged so you can be sure your SaaS company is actually following the right incident response processes. Optimizing your security processes isn’t a one-time activity but, rather, something that needs to be evaluated regularly to help you stay ahead of threats.

6. Evolve and Improve Your Incident Response Plan Over Time

Hopefully this post will put you on the path toward developing a strong IRP. As with any aspect of security, the goal is not one-time perfection, but continuous improvement. Now that you’ve gained a basic understanding of what to include in your plan, it’s important to strengthen and optimize your security processes over time.

Having a robust IRP will help you avoid major fallout from a security incident, which is, of course, key for SaaS businesses that need to move quickly while maintaining the trust of their customers in a competitive marketplace.