Next Generation of Incident Preparedness: Are You Prepared to Effectively Respond to Advanced Security Incidents?

Just as firefighters and emergency physicians train to save lives, companies should prepare and train to protect themselves and respond to security incidents. This is increasingly important given the rapidly evolving threat landscape, with targeted cyber attacks by motivated, determined threat actors.

Given this environment, organizations are challenged to evaluate the adequacy of their staff, processes, and technologies to protect, detect, respond and contain incidents caused by advanced attackers.

The following are some questions that organizations should consider:

  • Do you have an incident response plan and is it tested on a regular basis?
  • When was the last time that your organization independently assessed the incident response practice using expert professional services?
  • Is your security staff familiar with the tactics, techniques and procedures (TTP’s) of advanced attackers and do you have the intelligence to constantly evolve your prevent, detect and response capabilities in response to the evolving threat landscape?
  • Does your organization have enough visibility and the capability to detect and alert in a matter of minutes to the presence of malicious activity?

Core Capabilities of Preparedness

Preparation is key to implementing an effective protection and response capability. Based on Mandiant’s experience responding to hundreds of security incidents, including the most critical headline-making breaches, organizations should focus on 6 essential capabilities: governance, communications, visibility, intelligence, response and metrics.

Figure 1. Fundamentals of Effective Protection and Response Capabiltiy

Governance

Does your security organization have the right people, and is it properly organized to respond effectively to security incidents? Are roles and responsibilities clearly defined and documented? Does your staff have the necessary skills, experience and training? Having an adequately staffed, well-trained security organization is a key component for developing a mature security posture.

Communication    

Formal and informal communication mechanisms allow effective knowledge transfer between internal staff, internal areas, relevant service providers and external entities. A good communication plan not only allows rapid escalation and provides accurate and truthful information, but also ensures information flows are only to the appropriate people and organizations. For example, incorrect or incomplete information provided to the public or the press may cause a significant negative impact and could significantly damage brand and customer confidence.

Does your organization have incident response specialists? Do you have communications and legal experts as part of a communications plan? Are roles and responsibilities clearly defined? When was the last time you tested your incident response communications plan?

Visibility

Good visibility into your network activity is essential to detecting the potential activities of advanced attackers, much of which commonly undetected by traditional security tools such as antivirus or a firewall. Monitoring everything is not feasible, nor is it recommended. Therefore, the organization’s ability to identify and monitor critical assets and components involved in their processing, storage and transmission of sensitive information is essential.

Having the capability to detect the presence of advanced persistent threats (APTs) with a minimum of false positives is critical to effectively analyze those alerts. Many organizations receive lots of noise from its SOC or SIEM tools, which negatively impacts visibility, since the security team simply cannot analyze hundreds or thousands of alerts per day.

Intelligence

Most organizations prioritize intelligence to get familiar with the identity, motivations, tactics, techniques and procedures (TTPs) of the attackers. Having good intelligence about attacker identities, motivations and TTPs is key to developing strong capabilities to prevent, detect and respond.

Response

When breaches occur, speed of response is critical to mitigating damage to the organization.  Having a response plan developed is not enough; you need to test the plan on a regular basis.  In addition, it is also highly recommended that organizations have an incident response retainer in place with a cyber security-consulting firm that specializes in responding to advanced attacks.  A retainer allows a company to establish the terms and conditions for providing services in event of a suspected or confirmed breach.  This can significantly reduce response time, and reduce the impact of the incident by responding to and containing the incident quickly.

Metrics

Companies should use effective cost benefit metrics to monitor the health and effectiveness of incident response processes and how they contribute to the achievement of information security business goals and objectives.  Continuing to assess your effectiveness by using metrics is an essential part to ensure your IR response capabilities are being tested and maintained.

CONCLUSION

Organizations should look to evolve their approach to security from a compliance-based reactive program to a proactive, business risk focused program with advanced threat protection. This will help to close the gap between the organizations capabilities and attacker capabilities, reducing risk of compromise.

Recommendations for evaluating and strengthening your organization’s security posture and becoming breach-ready include:

  1. Engage an expert in incident response and advanced threat protection capabilities
  2. Assess the organization protection and security incident response capabilities in tools and personnel
  3. Create an strategic and tactical roadmap with the prioritized recommendations to improve the maturity of the incident response practice
  4. Implement the roadmap initiatives and ensure your have an Incident Response company under a retainer as a safety net and to support your action when it matters most.

To learn more, attend the upcoming webinar on June 7th: Breach Readiness: The next generation of incident preparedness, presented by Russell Teague, Managing Director, Mandiant, a FireEye Company.  In this session, Russell will discuss best practices for raising your organization’s security posture and will share insights on how to control costs during post-breach recovery.  To register, click here or go to: https://www2.fireeye.com/Next-Generation-Incident-Preparedness-Webinar.html?utm_source=webinar&utm_medium=luis-blog&utm_campaign=IRR