Few organizations really understand their readiness quotient when it comes to responding to a cyber security attack – partly because they miscalculate the gravity and partly because of the amorphous dimensions of the term ‘incident’.
In general security parlance, any event that affects CIA (Confidentiality, Integrity and Availability) can be called an ‘incident’. However, defining the term within the context of your operations requires infallible perception and situational awareness. Without precise identification of the source of a breach, its intent, impact, and entry point, organizations cannot effectively pair an incident response plan with the level of support and threat management capability it requires.
There is a noticeable upward trend in the embracement of incident response planning, but merely having guidelines proves to be persistently ineffective. A recent study by Ponemon Institute indicated that though 73% of Fortune 500 companies have developed IR plans, about 68% of them feel they aren’t yet ready to handle a data breach and wouldn’t know what steps to take to control the impact.
The reality of the situation, apparently, is that many organizations aren’t yet equipped with the right staff to venture into the preparation phase with the forward-planning exigency it requires.
Negligibly few companies, whom I would call the 1%, are equipped with an IT team that can double up as incident handlers with the kind of knowledge gained from day after day of dealing with a wide range of incidents. The others who form the majority have the option to involve a dedicated incident response team with battlefield experience.
The role of Managed Security in Preparation, Response and Follow-up of a Security Incident
Organizations are working with managed security operations teams are realizing the transformational benefits of objective assessment and extensive threat intelligence – the best of both worlds.
1. Preparation:Continuous Threat Analytics for a strong base of operations
Preparation entirely devolves on how well people, process, technologies and information are brought together. This stage involves asset risk prioritization and establishing baselines to provide direction and scope for the entire workflow. Thus, in a sense, the security operations team is continuously preparing your foundation for incident response with its round-the-clock scrutiny and dissection of events and alarms.
2. Response:Rapid diagnosis using Intrusion Forensics
-Because how you would dodge a bullet is not the same way you would escape a grenade blast.
Forensic capabilities are rare to come upon and are extremely useful in quickly comprehending what data has been exfiltrated and what resources have been compromised in the process.
Seasoned incident handlers will know that this is the worst time for panic and carry out systematic problem solving.
Resuscitative Containment is undertaken to neutralize threats in critical systems to help keep them in production while a clean backup is getting ready.
3. Follow-up:Corroborative security policy reviews, logs, checklists and surveys
- Validating every restoration and recovery task/policy change for efficacy.
- Improving security controls and security awareness across the organization.
- Asserting how close the organization has come to preventing reoccurrence of an incident.
- Ensuring that realistic goals are set and achieved.
Every event encountered contributes to the knowledge pool that is used in adjusting rules, policies and frameworks. Analysts prepare reports for a range of purposes but the most valuable reports are those that chronicle the entire incident summary and answer all questions pertaining to it.
Aleph Tav Technologies is helping organizations discover simplified threat management with a flexible and adaptive security operations team. Explore ways to build a robust response team with our managed security solution. Visit alephtavtech.com for more.