Home Cybersecurity SolutionsThreat & Vulnerability Management What is a Root Cause Analysis Report?
Threat & Vulnerability Management

What is a Root Cause Analysis Report?

by RSI Security
written by RSI Security
pci

As concerning as cyberattacks and suspicious incidents are, they also provide opportunities to reinforce your cyberdefense implementation, configuration, and strategy. Innovative techniques and the discovery of unknown, unmonitored vulnerabilities generally preempt successful cyberattacks. As a result, organizations need to investigate these events and their surrounding scenarios to optimize detection and response and prevent recurrences. The investigation’s results are compiled in a root cause analysis report.

 

What is a Root Cause Analysis Report?

A root cause analysis (RCA) is a team-facilitated, in-depth examination of any cybersecurity event. RCA comprises one of the critical concluding stages of the response processes initiated after detecting active attacks or suspicious activity. These efforts are necessary for determining what factors led to a given event’s occurrence (successful attack or otherwise). The root cause report presents a clear and concise breakdown of a given event, across these components:

  • Introduction or root cause analysis summary
  • Description of the events being studied
  • Chronology of events (i.e., event timeline)
  • Forensic methodology used to investigate the events
  • Findings (i.e., the root cause) and any remaining detailed descriptions
  • Corrective actions and strategies for cyberdefense optimization

The report serves as guidance material for actionable measures to better identify and manage vulnerabilities, prevent event recurrence, and will help guide ongoing cybersecurity strategies.

 

RCA Component #1: Introduction

The introduction provides the audience with background information about the event, the report’s purpose, and the essential points covered throughout the document. Since RCA reports should be compiled per event, their scope should be narrow and their introduction brief. Some reports will have a “problem statement“—or a one-sentence summary of the event.

 

RCA Component #2: Event Description

Here you will find an in-depth recap of the event—usually in paragraph form—based on the information gathered by the RCA team.

The description should include:

  • Date and time of the event
  • What occurred
  • How the event was discovered
  • Who reported the event
  • Response actions taken and by whom—before, during, and post-event
  • Communications regarding event reporting—internal and external
  • Impact of the event (e.g., financial, regulatory compliance)

 agreement

RCA Component #3: Event Timeline

The best format to view all activities that occurred or did not occur leading up to and after an event is chronologically. The timeline should not be overloaded with details, only factual data.

For example, activities may be logged in an RCA report’s event timeline as follows:

  • February 21, 2021 @ 0200: SIEM event occurred on Server X
  • February 21, 2021 @ 0317: SIEM event Acknowledged by Operator Mills

This example shows a one-hour and 17-minute gap between the event occurring and the operator’s acknowledgment. The significance of that gap (e.g., reasons for response delays, recommendations to reduce delays) will be covered elsewhere in the report when providing more thorough event descriptions and the RCA team’s complete analysis. As a timeline entry, you only need the basic facts. 

 

Request a Free Consultation

 

RCA Component #4: Analytical Methodology

The methods used in your root cause analysis can vary based on the nature of the event. The RCA team’s investigation may employ any of the following techniques:

  • Barrier – Examines the pathways a threat can take toward a target or asset that can cause an undesired outcome
  • Cause Factor TreeUses a hierarchical or tree design to display the actions, conditions, and contributing factors that lead to an adverse event
  • Change – Systematic approach to review impact and risk management strategies involving change within an organization, especially how expected and recent changes affect cybersecurity effectiveness
  • Failure mode and effects – An review of product or process failures, strictly from an engineering perspective
  • Fault tree analysis – Known as the “tree of logic,” this method examines an event using a logical tree of “AND,” “OR,” or “NOR” logic gates to show the contributing factors of an incident where the undesired event is the root. 
  • Fishbone – An analytic tool for examining effects and the contributing factors that create the effect. Often referred to as fishbone because the display of opposing lines for causes and effects resembles a fish skeleton. 
  • Pareto – A statistical cause analysis summary that looks at selected actions or tasks that produce a significant result (i.e., the incident being investigated). With this method, you can distill many factors down to those contributing the most towards an incident’s occurrence.
  • The Five “Why” Analysis – A problem statement is established (the incident), and a series of “Why” questions are asked until a root cause is found.

Your root cause analysis report should include one of the above or similar methods to properly investigate all contributing factors. 

 incident

RCA Component #5: Findings and Root Causes

The fifth component of your root cause report is the findings and presentation of the determined root cause. Here is where the RCA team delivers the root cause of an event after objectively conducting some of these activities:

  • Reviewing logs, reports, and other documents about the incident
  • Identifying precursors or indicators as evidence leading to the incident
  • Determining any impact to the organization before incident detection
  • Stating whether the actual cause was identified
  • Determining if the incident is the recurrence of a previous incident
  • Estimating the damages attributed to the incident (e.g., noncompliance, financial, reputational)
  • Comparing initial impact findings to final impact findings
  • Presenting security program advisory and recommending preventive measures based on the incident

In most reports, you will see a root cause stated alongside summaries of contributing and connected factors. When documenting your analysis summary, root cause statements should follow five rules:

  1. Root cause statements must present the event’s cause and effect.
  2. Do not include negative statements about personnel involved or condemnations. 
  3. A cause precedes every incident of human error.
  4. Procedural violations don’t constitute root causes in and of themselves; they must have preceding causes.
  5. Any determination of a “failure to act” may only be considered a root cause if there is a pre-existing duty to do so (e.g., documented policies or responsibilities).

 

RCA Component #6:  Corrective Actions

Your root cause analysis report should include a corrective actions section to guide any further remediation efforts and standard cybersecurity strategy (once normal operations and conditions resume). This section leverages the RCA findings to help prevent incident recurrence.

The RCA team will offer actionable tasks relevant to the root cause and its contributing factors, which inform daily or periodic responsibilities, baseline configurations, and your change management program. Once the RCA team presents their advisory in the root cause report, your organization must determine the feasibility of these corrective action recommendations.

You may also find an “improvement plan” with built-in accountability and milestone markers to track progress. Typically, improvement plans contain the following headings:

  • Area of improvement
  • Corrective action (from the root cause analysis summary)
  • Responsible party (individual or department)
  • Expected start date
  • Anticipated completion date

 

How Root Cause Analysis Reports Help Your Organization

Your organization should consider RCA reports as opportunities for growth instead of a “failure report.” They help prevent you from focusing on a single causality when there are likely several areas contributing to the event and requiring adjustment. Any findings and recommendations should acknowledge cybersecurity as a complex, holistic endeavor comprising people, processes, and technologies.

The primary benefit of root cause analysis reports is that your organization retains the documentation for future reference (e.g., ongoing security program refinement, compliance reporting). Archived RCA reports can also be used during security team training and mock-incident walkthroughs.

Additionally—and the details of a given event aside—RCA reports also provide concrete examples of:

  • Logical methods for problem-solving, using internal or pre-existing data within the organization.
  • Repeatable, step-by-step processes designed to address specific problems and provide actionable remediation tasks. 

Root cause analysis reports may be necessary for compliance reporting following any security incidents, depending on applicable frameworks (e.g., HIPAA). 

 

Go Beyond RCA Reports with RSI Security

Whenever a cyberattack or security incident occurs, your organization should conduct a root cause analysis and compile the findings into a root cause analysis report. The reports provide essential guidance for future security program strategy, compliance reporting documentation, and informational briefs for non-technical audiences in your organization.

RSI Security’s expertise helps your organization begin a root cause analysis, compile a report, or begin implementing recommendations from one.

Get started on your corrective actions and contact RSI Security today!

 

Request a Free Consultation

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

Vulnerability Scanning vs. Patch Management: What’s the Difference?

September 11, 2019

What is Advanced Persistent Threat Detection?

July 30, 2021

How to Utilize Open Source Threat Intelligence

October 4, 2021

How to Integrate Risk Management Review Reports in...

March 10, 2022

Insider Threat Risk Management for Your Business

June 4, 2021

Vulnerability Management Best Practices For E-Commerce Businesses

September 12, 2019

Integrating Cyber Threat Intelligence in Cybersecurity Awareness Training

March 14, 2022

7 Types of Vulnerability Scanners

March 9, 2023

Wireless Security Issues and Solutions for Organizations in...

February 9, 2022

Five Ways Vulnerability Management Prevents Cyber Attacks

January 14, 2021

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More