Incident response plans give security teams a standardized set of procedures for mitigating the risks associated with security incidents. They make cyberattacks less disruptive, reduce operational downtime, and contain data breaches.

Since every organization is unique, it needs to create a set of incident response playbooks designed to fit its security risk profile. It also has to ensure employees, users, and key stakeholders can communicate effectively about security incidents as they happen.

The SANS Incident Response Framework provides a standardized set of operational security best practices when handling security incidents. Organizations that adopt the SANS framework are equipped to quickly mitigate cyberattack risks and protect sensitive assets effectively.

What is the SANS Incident Response Framework?

The SANS Institute is the world’s largest and most reputable cybersecurity research and training organization. Its name stands for “SysAdmin, Audit, Network, and Security”, and its incident response framework is one of the most trusted options in the industry.

In 2012, the SANS Institute published the Incident Handler’s Handbook, which defines its approach to addressing security incidents in real-time. The SANS approach enables analysts to methodically assess cyberattack damage, take action to contain threats, and help the organization recover.

Here is a brief summary of the six-step approach outlined in the SANS Incident Response Framework:

• Preparation. Establish organization-wide security policies, perform risk assessments, and define security risks. Build a Computer Security Incident Response Team (CSIRT) with well-defined roles.
• Identification. Monitor systems for unusual behavior and indicators of compromise. Investigate security events and escalate the ones that suggest a potential security breach. Collect evidence, categorize threats, and document everything.
• Containment. Take decisive, short-term action to isolate potential threats and protect the network from attack. Then perform long-term containment tasks and rebuild impacted systems.
• Eradication. Remove malware from affected systems, perform root-cause analysis, and implement solutions to prevent similar attacks in the future.
• Recovery. Bring impacted production systems online, taking care to mitigate the risk of additional attacks. Test and verify newly recovered systems to ensure they are working properly.
• Lessons Learned. Create a retrospective report detailing the security incident no more than two weeks after it took place. Document the incident entirely and identify opportunities to improve operational security.

SANS Incident Response Framework vs. NIST Cybersecurity Framework

The SANS Incident Response Framework is often compared with the other leading framework for addressing security incident risks — the NIST Cybersecurity Framework.

The two share a lot in common, but they have key differences that set them apart. In general, the SANS Incident Response Framework is more technically oriented, with a strict focus on detecting and responding to suspicious behavior on protected networks.

The NIST Cybersecurity Framework provides an in-depth explanation of the communication structures organizations should have in place when handling security incidents. The SANS framework provides a broader overview of this aspect of incident response, but provides deeper guidance on how security team members should contain and eradicate threats.

This doesn’t mean that one framework is “better” than the other. It simply reflects the scope for which each framework was designed. Security leaders must choose the framework that best suits the specific needs of their organization and its security capabilities.

Who should Implement the SANS Incident Response Framework?

Since the SANS framework offers more concise operational guidance for addressing security incidents, it is well-suited to organizations with well-developed security capabilities.

It’s particularly well suited to smaller, more agile organizations with dedicated security teams. That’s because the NIST Framework includes a more generic approach to securing data against a wider range of incidents, such as natural disasters and physical security breaches.

Where the NIST Framework provides wide-ranging guidance suitable for large, complex organizations, the SANS Incident Response framework focuses on improving the capabilities of individual security practitioners and their teams.

Adopt the right incident response framework for your organization

The SANS Incident Response Framework can provide a consistent and structured approach for handling security incidents. It gives security teams a common terminology, a clear set of best practices, and useful metrics for improving security performance over time.

However, it can also lead to challenges. You may need to customize your security tech stack to meet SANS guidelines, and you’ll have to update your policies regularly to maintain the framework as your organization grows.

Maintaining a comprehensive security framework can significantly improve your organization’s risk management capabilities, but only with the right approach. Merely checking all the boxes won’t provide the security results you need — only a comprehensive, expert-led approach can do that.