How would your company respond to a cyberattack at this very moment? Alarmingly, few organizations have a good answer for that question.
Less than one-quarter of U.S. businesses have a formal cybersecurity incident response plan (CSIRP) in place, according to a study by the Ponemon Institute and IBM, making it nearly impossible to respond to serious threats in a timely manner. A separate IBM study finds that it takes companies an average of 280 days to identify and contain a data breach, giving malicious actors the better part of a year to compromise systems, steal data and generally create havoc.
Given the increasing scale and sophistication of today’s threats, organizations simply cannot afford to take an impromptu approach to threat response. While preventive measures are obviously a top priority, they are never 100 percent effective. If a breach or attack does occur, organizations must be able to act quickly to limit the damage.
The NIST Framework
The National Institute of Standards and Technology (NIST) defines a CSIRP as a predetermined set of instructions or procedures to detect, respond to and limit the consequences of a malicious cyberattack against an organization’s information systems. While circumstances will sometimes dictate deviations from the plan, having a framework ensures you don’t have to improvise a response.
The NIST recommends the following four-phase process for incident response:
- Preparation. Compile a list of all IT assets and rank them by importance based on how much critical data they hold. Set up monitoring to establish a baseline of normal activity. Determine which types of security events should be investigated with detailed response steps for common types of incidents.
- Detection and analysis. Continuously monitor systems to identify signs of an attack such as unusually high numbers of failed login attempts. Correlate that data against your baseline to see how the activity deviates from normal behavior. If an incident is confirmed, collect additional evidence, establish its type and severity, and document everything.
- Containment, eradication and recovery. Take steps such as isolating a server or closing firewall ports to prevent an attack from causing additional damage. Once the attack has been contained, remove malware from all affected systems, remove accounts or backdoors left by attackers, and install security patches on affected systems.
- Post-incident activity. Document the incident from detection through recovery and conduct meetings with team members to discuss specific decisions made during the process and how they might be improved.
For all its benefits, a CSIRP is no silver bullet. Even organizations with well-documented processes say their incident response capabilities sometimes fall short of expectations. Forty-five percent of IT security and compliance leaders say their detection and response capabilities are inadequate, according to a recent VMware survey.
Most agree that increased automation would dramatically reduce the time it takes to detect and contain threats, but nearly half of the VMware respondents say they are limited by a lack of in-house expertise and supporting technologies. To address those limitations, many are engaging the assistance of third-party partners that offer managed detection and response (MDR) services.
MDR providers typically use automation to analyze attacks based on their unique tactics, techniques and procedures. For example, Verteks services combine advanced analytics with machine learning to provide automated notifications of suspicious events with threat characteristics. Over time, machine learning algorithms help build the intelligence necessary to actively hunt for threats and disrupt them in advance of an attack.
Time is of the essence during a cyberattack. An incident response plan can help companies respond quickly and limit the damage. Automated threat detection and response capabilities can help even more. Give us a call to learn more about using our services to enhance your security posture.