How Incident Response Addresses Evolving Security Threats
Being prepared for a breach is essential as threats become more widespread and fast-acting. Here’s what you need to know about incident response.
IN THIS ARTICLE
Common Incident Response Mistakes
The Four Phases of an Incident Response Effort
Solutions and Services to Support Effective Incident Response
An Evolving Cybersecurity Environment
Cybercrime is a profitable business venture and a weapon of nation-states and their intelligence agencies. Every modern organization has sensitive information and computing assets that are crucial to its operations and are a tempting target for attackers seeking an easy payday.
Recognizing the potential for outsized profits, hackers have become more sophisticated in their attempts to reach inside organizations and gain access to this hidden treasure. While they still rely on social engineering, ransomware and misconfigured systems, they now exploit those vulnerabilities in a much stealthier manner, hoping to avoid detection until they have time to spring their trap.
In the early days of ransomware, attackers realized that it was very unlikely their victims would detect their presence, and they took their time probing networks and planning their attacks. Today, cybercriminals move rapidly from initial infiltration to complete lockdown, followed by a ransom demand. The time between a user’s first misstep and a ransomware demand shrank dramatically in recent years. The cybersecurity website Dark Reading reported that the median dwell time for ransomware was only five days (compared with 24 days for all cyberattacks), meaning that organizations have very little time to detect an attack before facing a ransom demand. This presents an extremely challenging situation for cybersecurity professionals charged with preventing these attacks.
As the threat landscape evolves, organizations are rapidly shifting the way they use computing resources. Cybersecurity professionals race to keep up with the deployment of cloud services, remote work arrangements, mobile applications, virtual reality, blockchain and other emerging technologies. Management is often unwilling to allocate additional personnel and resources to security teams, requiring existing teams to do more with less.
New technologies promise to assist in these efforts. Most organizations have next-generation firewalls (NGFWs), intrusion prevention systems (IPSs) and encryption deployed effectively and are focusing their attention on protecting endpoints from compromise. This work attempts to prevent lateral movement by attackers and stop the spread of successful attacks.
A GROWING CHALLENGE
Today’s global threat landscape and evolving workplace environments present unique challenges for organizations as they build out their incident response programs.
Attacks unfold far more quickly today than in the past. Organizations may have less than seven days from the time of first compromise until a ransom demand.
Cybersecurity professionals must defend an ever-expanding perimeter as the pandemic drives more remote work and employees increasingly access sensitive data from home.
Current security efforts place an emphasis on endpoint protection. Maintaining secure configurations and current patches protects networks from initial compromise and may contain a successful attack.
LACK OF SECURITY STRATEGY
Incident response programs should be built on a solid cybersecurity strategy. Many organizations rush to purchase new technology solutions without first understanding the gaps in their existing efforts. IT leaders should take the time to develop a security strategy that assesses the risks facing their organizations, and then design controls to remediate deficiencies.
INSUFFICIENT TRAINING
Exercises can be effective only if participants already know their assigned roles and the organization’s incident response philosophy. Organizations should have strong role-based training programs that educate responders about the overall process and their specific duties during an incident.
FAILURE TO USE PLAYBOOKS
Most security incidents follow a few common themes, including ransomware compromises, social engineering attacks and denial of service attacks. Working with a partner to build out playbooks can help prepare an organization for these attacks. Playbooks facilitate consistent responses, keeping the organization ahead of a fairly steep security and incident response learning curve.
LOGGING INCONSISTENCIES
Incident response depends on data. Organizations that don’t consistently log events from systems, applications and devices to a centralized repository will find themselves stumbling in the dark when they try to investigate and respond to an evolving cybersecurity incident.
NO TABLETOP EXERCISES
You play like you practice. Organizations that don’t conduct routine tabletop incident response exercises will not get the practice they need to succeed when an actual incident takes place. Everyone who participates in incident response , from the most senior leaders to frontline IT professionals, should practice regularly to keep skills sharp.
Learn how CDW can help your organization avoid common mistakes and build an effective incident response program.
The Need for Incident Response
52%
The percentage of organizations that do not conduct regular security readiness exercises with corporate leadership1
31%
The percentage of organizations that suffered operational disruptions due to cybersecurity incidents2
46%
The percentage of organizations that are unable to contain a threat within one hour of the initial compromise1
87%
The percentage of IT leaders who believe that increasing complexity is the biggest challenge to managing cybersecurity in their organization2
Sources: 1Kroll, Red Canary and VMware, "The State of Incident Response 2021," April 2021; 2Deloitte, "Deloitte 2021 Future of Cyber Survey," October 2021
The Four Phases of an Incident Response Effort
Breaches are inevitable in today’s cybersecurity environment. The sophistication and proliferation of adversaries makes it virtually impossible to build a bulletproof defense. Cybersecurity leaders must plan to respond to these compromises when they occur.
Incident response plans provide the framework that guides an organization’s response efforts. Fortunately, plenty of guidance is available to assist with this work. The National Institute of Standards and Technology (NIST) has published a Computer Security Incident Handling Guide (NIST SP 800-61) that outlines the four key phases of any incident response effort:
- Preparation: Organizations should build out their incident response programs before disaster strikes, putting policies, procedures and technologies in place to facilitate an effective response.
- Detection and Analysis: The faster a cybersecurity team can identify an incident taking place, the faster it can swing into action to reduce the impact of a breach.
- Containment, Eradication and Recovery: The incident response team’s top priority is to contain the damage, limiting the scope of an incident. Once they have done that, they can move on to eradicate the effects of the incident and recover normal operations.
- Post-Incident Activity: After each incident, the team should gather to review lessons learned and improve the organization’s processes before the next incident response plan activation.
Organizations should structure their own incident response plans around this guidance to strengthen the collective experience of the cybersecurity community.
Key Considerations for Effective Incident Response
An effective incident response strategy should include a thoughtful approach to these areas.
GOVERNANCE
Policies and procedures provide an essential roadmap for incident response. They grant responders the authority to carry out their work and provide a flexible framework for adapting to emerging technologies and evolving threats.
PLANNING
Playbooks provide step-by-step procedures to guide an organization’s work at all stages of the response. They allow IT teams to apply procedures developed in a calm environment to the chaos of an unfolding security incident.
DETECTION
Organizations must maintain visibility into all aspects of their computing infrastructure to detect the early signs of an attack. Modern threats unfold quickly, and centralized logging and correlation of security information is crucial.
TESTING
Annual penetration tests and regular tabletop exercises help ensure that incident response plans fit the current environment and that all team members understand their authority and roles in the event of an actual incident.
RESPONSE
Security teams must be poised to swing into action after the detection of a potential security incident. The faster they can contain an attack, the less damage the organization will suffer.
FLEXIBILITY
While many security incidents share common characteristics, each incident is unique. Incident response plans should set forth the guiding principles for a response and provide helpful procedures and advice, but also allow team leaders the flexibility to adapt to changing circumstances.
RECOVERY
Recovering from a security incident is a time-consuming task, requiring the assistance of subject matter experts from around the organization. Cybersecurity insurance policies may reduce the financial impact of a recovery effort and provide access to expertise.
STANDARDS
Organizations should draw on the collective wisdom of the cybersecurity community when building an incident response program. Publications from NIST and other industry thought leaders provide a strong starting point for any organization’s incident response plan.
Learn how CDW’s AmplifiedTM Security services can help you design an effective incident response program.
Incident Response Technology
Incident response is a complex undertaking that requires talented team members with both breadth and depth of experience. That team can only operate effectively if it has a strong foundation of security tools and information at its disposal. As organizations build out their incident response programs, they should ensure that they have this foundation in place.
Security information and event management (SIEM) and security orchestration, automation and response (SOAR) platforms are the nerve center of incident response. They receive and correlate logs and facilitate response efforts.
Endpoint detection and response (EDR) tools detect security issues on endpoint systems deployed throughout the enterprise. Extended detection and response (XDR) solutions incorporate data from networks, applications and the cloud.
Next-generation firewalls deliver perimeter protection and content inspection capabilities, while web and mail gateway solutions offer specialized security features designed for application-layer protocols.
Backup and recovery solutions provide a fallback in the event of a serious incident. Backups should be performed regularly and kept in a location that is physically and logically isolated from production systems.
PREPARE FOR AN INCIDENT
Building out an incident response program can be intimidating. Fortunately, CDW has helped hundreds of clients through this process.
CDW experts routinely conduct security assessments, provide advisory services for security governance programs, perform configuration reviews of security solutions and run tabletop exercises to help teams assess their incident readiness. They can also conduct penetration tests to gauge the effectiveness of an organization’s security controls and identify weaknesses that an attacker might exploit to gain access to systems and information.
You don’t need to handle incident response on your own. Take advantage of the expertise of CDW’s solution architects to help you design, build and evaluate your incident response program.
TURN TO EXPERT PARTNERS
It’s not always practical to build out an internal incident response team. Cybersecurity teams have a lot on their plate and may find it more efficient to outsource the routine work of monitoring and analysis to a trusted technology partner.
CDW can help you deploy managed detection and response services that reduce the burden on your own cybersecurity team. We can help you evaluate MDR vendors and select a solution that provides you with real-time visibility into your computing environment, ensures that you are collecting relevant security information and provides you with access to third-party expertise in the event of a security breach.
GET STARTED WITH AN ASSESSMENT
CDW offers a variety of services that can help organizations overcome incident response challenges.
A readiness assessment can help your organization evaluate the current strengths of its incident response program and develop a roadmap for improvement. CDW’s incident response experts will help your organization align with industry best practices and ensure that it has the right technologies in place to support an effective response.
During an IR planning and tabletop exercise workshop, CDW experts review your organization’s policy, plan and playbooks, as well as its tools, roles and responsibilities. Through this exercise, our experts also conduct refresher training, perform an IR tabletop exercise (with a review afterward), update your playbook and train your staff on best practices.
A security maturity assessment combines a high-level security framework review and a technical security assessment of your environments. The service aims to provide your organization with an integrated review of its security posture, as well as recommendations for remediation.
Penetration testing involves efforts by CDW security experts to validate the results of a vulnerability scan by playing the role of an attacker and attempting to exploit any vulnerabilities detected. This simulated attack provides deep insight into your organization’s security posture and serves as a test of your existing security controls.
Story by:
Nicole Amsler
Bill Jarrett
Mikela Lea, who joined CDW in 2015 as a Field Solution Architect for security assessments and is now covering the South. Mikela works directly with sales and clients as an information security subject matter expert for incident response, application security, penetration testing, and compliance and governance.
Request an Incident Response Assessment from CDW
