According to the National Institute of Standards and Technology (NIST), an Incident Response (IR) provides “the instructions and procedures that an organization can use to identify, respond to, and mitigate the effects of a cyber incident”.
In the Cost of a Data Breach Report 2020 (IBM Security), organizations that both formed an Incident Response (IR) team and extensively tested their Incident Response plan had an average cost of a data breach of $3.29 million. In contrast, organizations that took neither of these steps experienced an average total cost of $5.29 million, a $2 million difference. The same study also found that of organizations that required remote work as a result of COVID-19, 70% said remote work would increase the cost of a data breach and 76% said it would increase the time to identify and contain a potential data breach.
In the NIST handbook of “Computer Security Incident Handling Guide”, Incident Response Lifecycle can be broken down into the following four phases:
Preparation is one of the most essential incident response activities that an organization should undertake. It involves extensive planning that includes security awareness training for your employees, identifying the start of an incident, establishing business processes and procedures to recover and get everything back to normal after a security event.
In order to stop an incident, you must first be able to detect and identify any anomalies within your environments. Solutions like Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) can automate and speed up the alerting, identification and analysis process by filtering massive amounts of security data and prioritizing the security alerts the software generates. For most small and medium sized organizations, however, Managed Security is more effective due to lack of in-house security analysts. According to Gartner, co-managed SIEM services enable security and risk management leaders to maximize value from SIEM and enhance security monitoring capabilities, while retaining control and flexibility.
Containment involves quick decision making and actions when an incident is identified to stop the spread and minimize damages. For example, your response might include decisions to immediately shut down a system, disconnect it from a network or disable certain functions. Cybersecurity incidents, such as a ransomware attack or malware infection, never happen at a convenient time; it is good practice to build predetermined strategies and containment procedures.
After containment, further eradication efforts are often required in order to completely remove the underlying components of the incident and to mitigate any identified vulnerabilities exposed during the incident.
In the recovery process, any compromised hosts, applications, or networks are returned back to normal operations. This may involve actions such as restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords.
After an incident, a debrief meeting to review and document the entire incident, perform a root cause analysis, and identify lessons learned to better respond to future security events and incidents, are extremely helpful and yet often overlooked. As the threat landscape is always evolving, your incident response process will need to be updated as well to reflect new threats, improved technology and lessons learned.
1. Provide Security Awareness Training to your employees to strengthen the weakest link in your cybersecurity chain
2. Perform periodic risk assessments as reducing the identified risks to an acceptable level is essential in reducing the number of incidents
3. Adopt a Zero Trust security model to help prevent unauthorized access to sensitive data
4. Invest in security monitoring and automation tools which may help improve detection and response times
5. Profile networks and systems to understand the normal behaviours of networks, systems, and applications
6. Stress test your incident response plan to increase cyber resilience
7. Use managed security services to help close the security skills gap
Blair Technology Solutions is offering a One-Time Vulnerability Assessment to help you pinpoint your risks of a cyber incident. Contact us to schedule your assessment today.