A recent study http://www.infoworld.com/t/security/how-not-handle-data-breach-992?source=footer shows that organisations who react before they understand the significance of a security event get hurt.
Its becoming more obvious that the clever companies expect the breaches to happen (who thinks defence-in-depth is 100% secure) and plan for that eventuality. And the first step in that plan is to define an incident response structure (people, process and tools) that allows you to quickly understand what’s happened, how far its spread, what damage is caused and stop it.
The old adage of “you can’t manage what you can’t measure” is old but still an adage – a basic truth. And without that first measured response structure, how can you possibly hope to manage the incident.
Another valuable point in the article is the need for forensics. This ties back into the incident response as these breaches are becoming more sophisticated and stealthy. Advanced Persistent or Evasion Threats (APT or AET) hide so well that you need to really get under the covers to find them. Forensic tools are key to that deep dive.