* Detect the adversary: A primary goal of the security response plan should be to improve visibility throughout the process. This means leveraging centralized logs, tuning correlation engines so that they present solid information while reducing distracting false positives, and gathering external threat intelligence to help make sense of it all.

Unfortunately, it's not always that easy. There is often a lack of experience within the organization with respect to the entire incident response and incident handling framework. "Most organizations think that they can just 'handle it' when an incident occurs," said Stephen Grutzius, CMO at Cybersponse Inc. during a follow-up interview. "The root of the problem lies in the lack of knowledge including identification of systems; memory collection; malware detection and analysis; forensic imaging and analysis; and multi-department collaboration -- these all prevent effective, timely response."

"Companies should be prepared to create an investigation-ready environment," added Jim Aldridge, a manager at D.C.-based Mandiant. The plan should be formal yet flexible and it should let the smart people work. "The security response team should define playbooks that are meaningful, outcome-based, and provide clear metrics," Aldridge added. "Be prepared to share the information with anyone and everyone that can benefit and/or contribute."

People are looking for "drop-in security" where they can just install it, set a few dials, and move on, but it is important to separate hype from reality.