Storm Swendsboe
Technical Account Manager at BreachRx
With a wealth of experience in threat intelligence, attack methodologies, and running security tabletops, Storm previously led the exercise and threat intel function at Sony Pictures, built the Analyst-on-Demand business unit at Recorded Future, and was a senior threat analyst at iSight Partners. At BreachRx, he now supports clients’ use of the platform to deliver even more value.
Incident response management is already a chaotic and manual process. It becomes even more so when executives start asking for ad-hoc updates seemingly every few minutes. These are completely understandable requests as these are strategic decision-makers and need information to guide resources and respond to inquiries. However, it is ultimately an ask that places additional strain on the responders, who need to be working on the event itself.
Effectively, it’s a catch-22 – either your C-suite is flying in the dark or you inhibit your responders from doing their job. So what can you do?
A one-size-fits-all incident report doesn’t actually fit all
Incident reports are not easy to put together. Having done incident response reporting in the past, I can personally attest that even in the most mature environments, the details necessary for creating accurate reports are scattered across a myriad of decentralized communications systems – Zoom, Teams, Slack, SOAR, SIEM, email, personal cell phone text messages – it’s like running a blender without the lid on. Various email chains, messaging channels, and out-of-band Zoom calls are just the start. And rarely does one person have access to all of the information.
Why? Different parts of the company each respond to the incident in their own way and via their preferred channels. Incident response, IT, corporate communications, and legal (just to name a few) each have separate responsibilities and ways that they communicate. Gathering all of this disparate information in the middle of a firefight is nothing short of a chaotic nightmare.
And unfortunately, the time-to-live on these reports is generally 24 hours or less, as the status of the event, systems involved, and business functions change constantly.
Of course, executives want the most up-to-date information, and rightly so, as that’s what they need to make decisions for the business, and they want it in a quickly digestible format (i.e., a page or less). This is a monumental task for the analyst writing the reports because of:
- Continuous changes: Keeping up with the changes from all the different communication channels, that you may or may not be a part of, means that, at best, you can write updates every 24-48 hours.
- The format of the report: Anyone who has written reports can tell you that the executive summary may be the shortest part of a report, but it requires the most work. Every sentence has to be meticulously backed up by a full assessment or line of evidence that would otherwise take up half a page at least.
- Requests from different audiences: From the various C-suite offices that each have different needs, to various parts of the IR response effort (IR, comms, legal) that need to have situational awareness of what everyone else is doing, each report request requires custom information to be included.
In the heat of the moment, the best a responder flying by the seat of their pants can do is put together a “one-size-fits-all” report, send it out, and then Hail Mary.
But does that actually provide each leader and team with the information they need? More often than not, the answer is no.
Streamlining incident response with customized and automated reporting
During an incident, I was always in a position where the team was large enough that I could mostly be dedicated to working on the incident response reporting, while other teammates were responding to the event directly, but that is not the case with most teams.
Typically, the analyst who is handling the event is the one writing up its report. But you want them to be dedicated to containing the incident, as they are the best equipped with the right skills and background to do so. Every time they have to stop to write reports, the longer you extend the recovery effort, which leads to a greater risk of a significant business impact for your company (especially when there are tight notification timelines and hefty penalties involved).
As an in-house defender previously, this was honestly the most significant thing that attracted me to the BreachRx Cybersecurity Incident Response Management (CIRM) platform—the ability to automatically generate reports about the incident using customized templates at any point in time during the incident. It’s truly a game-changer for incident response reporting.
Since BreachRx funnels the playbooks, actions, and updates into one source of record, it’s able to generate reports in an instant based on the key incident data inside it.
Your CISO needs a report at 12:30pm for an executive briefing, and now your CEO wants a current report at 4:00pm for an emergency board meeting? No problem. With the click of a button, you can generate these reports in real time and deliver them directly.
The BreachRx CIRM platform has several report templates included, but it also gives analysts the ability to save their own pre-positioned, customized templates with an easy-to-use building block tool. That way, no matter what requirements you’re given by other parts of the business for reports during an incident, you can create a custom template for them. Then, during an incident, when another team makes their request, you can easily create that audience-specific report in an instant.
There will still be some stakeholders that you may have to generate something extra for, but even in those cases, BreachRx still does the heavy lifting and can even support you as a report writer with help from Rex AI™ to more quickly respond to any further content requests.
Incident reports are not just for leadership
That’s another great thing about incident reporting with BreachRx—they aren’t just for requests from your team, but can also be reports for your team.
These reports quickly summarize what happened in an incident and what actions were taken, allowing an IR responder to update themselves on everything that happened overnight or get another analyst up to speed to begin working on the event. The team can do more thorough shift handoffs and respond with more information with these custom reports, at a zero-effort cost. Bonus: It’s helpful to maintain a centralized, detailed record of every incident for compliance purposes and in case of an audit – or worse, a lawsuit.
Using the traditional approach, each and every report is representative of hours of manual labor, fact-checking, and writing, but with BreachRx, it’s as simple as clicking a button. Once that barrier to entry for producing reports is removed, not only does that lift the effort and burden of report writing off of the team that’s responding to the incident, but it also allows your IR team to begin using reports to make themselves more efficient.
And that is how you transform a burden on your team into a strategic advantage.
Want to make incident response reporting easier for your team? Schedule a platform walkthrough to see how BreachRx empowers you to respond to incidents with confidence, clarity, and speed.