Incident response (IR) is the effort to quickly identify an attack, minimize its effects, contain damage, and remediate the cause to reduce the risk of future incidents.
Let’s Define Incident Response
Almost every company has, at some level, a process for incident response. However, for those companies looking to establish a more formal process, the pertinent questions one must ask are:
- What are the steps to activate the responsible parties involved in responding to an incident should one appear?
- How comprehensive and specific should your response plan be?
- Do you have enough people (and the right people) to respond appropriately?
- What are your acceptable SLAs for responding to an incident and returning to normal operations?
Most likely, the answers to these questions will not be optimal, as most companies fall short in one area or more, according to a study by the Ponemon Institute:
77% of companies do not have a formal, consistently applied plan in place
57% indicate there has been an increased amount of time to respond
77% say they have a difficult time hiring and retaining security staff
On average, it takes 214 days to identify a malicious or criminal attack, and 77 days to contain and recover. It’s clear that better incident response management is needed to fully protect organizations from the growing and accelerating number of threats they face every day.
A. The Right Team – To deliver the most effective incident response, industry experts suggest including the following roles on your team, no matter the size of your company. Obviously, the technical team will take the lead, but there are other functional areas in your company that should be on board, especially if a severe attack occurs. Once the people for these roles are identified, educate them on what their responsibility would be in the event of a serious, extensive attack that has widespread ramifications: Incident response, Security analysis, IT, Threat research, Legal, Human resources, Corporate communications, Risk management, Executive, and External security forensic experts.
B. The Right Plan – A comprehensive incident response plan includes the following tactics and processes at a minimum:
- Prepare and ready the team to handle any kind of threat
- Detect and identify the type and severity of an incident once it has occurred
- Contain and limit the damage
- Determine its impact and associated risks
- Find and eradicate the root cause
- Mitigate and resolve the attack
- Analyze and modify the plan post-attack to prevent future ones
Communication is key when an attack is underway, so ensure that you establish a good communication flow as part of your response plan.
C. The Right Tools – With an increasing number of unknown attacks, the right tools may be able to save your company a lot of time and money – and it will help protect your customers and your brand loyalty.
Information is a critical asset for any incident response plan. Because of that, a cloud-based endpoint security solution typically provides you with the most comprehensive tools for mitigating attacks in the quickest manner, including access to key data through:
- Unfiltered data capture provides response teams with insights into endpoint behavior, not just previously discovered attack patterns and behaviors. This is the key to shorten an attack investigation from days to minutes, especially given the growing amount of unknown attack methods being leveraged today.
- Data analytics provide visibility into all endpoint activity, both present as well as historic. With the right data, you can see where the attack started and identify the path it took, all of which will help remediate it more quickly.
- External threat intelligence helps rapidly identify threats you haven’t seen yet, but other companies have. Once again, if you know what you dealing with, you can respond more quickly.
- Live response capabilities help you remediate remote endpoints and eliminate unnecessary reimaging.
Almost any research on the security challenges companies face includes statistics on the difficulty of hiring and retaining skilled security personnel, as did 77% of the people in the above Ponemon study. There is a shortage of nearly two million people for critical security positions that is rapidly approaching globally.
The lack of the right security people can severely impact any incident response, so much so that companies are looking to outsource security functions like this. In fact, Gartner believes that security outsourcing services spend will reach over $18 billion in 2018, the second largest security spend segment after consulting.
Given the difficulty in hiring the right people, this makes sense, because a managed service can quickly fill any gaps you have on your security team. It can help you prioritize alerts, uncover new threats, and accelerate investigations. These services are typically staffed by highly skilled threat experts that can keep a constant watch on your company’s environment, identifying emerging threats and providing access to critical security services when your team needs the most help.
Even if you have the right people, the right plan, and the right tools in-house, there is still a possibility that something will slip through, so why take that risk? It helps to work with the right vendor that can offer you a cloud-based endpoint security platform – as well as advanced threat-hunting capabilities.
As mentioned above, managed threat-hunting experts can keep watch over your environment and notify your team of emerging threats. These experts can:
- Analyze, validate, and prioritize alerts to help drive the right actions.
- Identify early warning signs and trends and proactively sends advisories to ensure a confident response.
- Discover root causes, with roadmaps that provide additional context to streamline investigations and root cause analysis.
A team of threat hunters can also give you coverage and threat triage across your entire endpoint deployment, so your team can focus on the most critical alerts. And you’ll have access to global threat intelligence that helps you stay one step ahead of future attacks.