3 Steps to Building a Resilient Incident Response Plan

Image

According to the Accenture State of Cybersecurity 2020 report, the average cost of a cyber attack for 'non-leaders' stands at $380,000 per incident. The report classifies organizations into ‘leaders’ and ‘non-leaders.’ The ‘leaders’ are those who set the bar for innovation and achieve high-performing cyber resilience. Given the rate of cyber attacks today, a security breach can easily run a non-resilient business into a major loss. Not to mention that the cost of data breaches goes beyond money by extending to data compromise. These circumstances necessitate that enterprises develop a robust plan to not just prevent attacks but to also mitigate threats as soon as they appear. The best companies assess their cybersecurity by how fast they can detect a breach as well as close the gap to prevent an attacker from wreaking damage.

Assessing Risk Tolerance Level

The inevitable first step to building a resilient incident response plan is to answer the following two questions:

• What threats are your organization likely to encounter?
• What level of impact would a particular attack have on your organization if it occurs?

These questions help to clarify your risk appetite as they enable you to create possible scenarios for different types of attacks. A risk tolerance assessment determines the flow of security investments, tools and resources. A FinTech company, for instance, definitely has a low tolerance for a data breach given how catastrophic it can be. The executive team of the business must be fully involved in risk tolerance decisions since cybersecurity risks can effectively cripple the business.

Threat Awareness and Detection Training

Employees are the first line of attack. It is impossible to build an effective response plan if workers can’t recognize threats. Even if threat mitigation requires the involvement of the IT team, every employee should be able to detect threats and also be knowledgeable enough to not inadvertently expose the company to threats. Millennials make up most of the workforce in the United States. They are digital natives. But with this status comes obliviousness to attacks because of their tendency to place too much trust on devices. Simultaneously, 90% of data breaches that occurred in the United Kingdom in 2019 were due to human error. This reinforces the need for cybersecurity education. Training for threat awareness and detection should not be a one-off. New cyber threats emerge by the day. Therefore, employees must be kept updated regularly so that they can identify threats. Repetitive training is therefore of the utmost importance.

Incident Response Technologies

The Accenture report ranks different technologies according to their effectiveness in incident response. From top-down, they are as follows:

Security, Orchestration, Automation & Response (SOAR)

SOAR is an incident response technology that helps to mitigate threats with minimal human effort, providing adaptive defense. A relatively new technology, it is often confused with System Information and Event Management (SIEM), another threat intelligence and threat detection technology.

But SOAR and SIEM are not the same. The major difference between SOAR and SIEM is that the former monitors threats from a broader perspective. SOAR systems integrate inputs from other security monitoring tools (including SIEM) under one platform.

Using a digital decision-making workflow format that derives from machine learning, organizations can use SOAR to define response procedures, mainly to low-level threats.

There are two main components of SOAR systems.

• • Orchestration: This is the integration aspect of SOAR by which the system coordinates and analyzes alerts from multiple security tools.
  • Automation: The implication of using multiple security tools is that there could be multiple threat instances to detect across different solutions. SOAR provides a framework for executing threat neutralization tasks.

SOAR systems provide a holistic approach to cybersecurity and particularly threat intelligence.

Risk-Based Authentication

It is no longer news that password protection does not provide enough data security. Systems that are password-protected need additional layer(s) of security that:

• • Prevents unidentified access to data.
  • Do not complicate the user login process.

Risk-Based Authentication, also known as adaptive authentication, works by determining the risk of a login attempt by assessing the context using real-time intelligence. Details assessed include device information, network connection, IP address, location info, data sensitivity, etc. Based on this information concerning the risk of a breach, it calculates a risk score by which access is either granted or restricted.

How RBA operates:

• • On a low risk, (if the user details are familiar, such as using the same device as always) access is granted.
  • On a medium risk, (if the user details are not familiar, such as access from a different network) the system requests additional details to ascertain the identity of the person.
  • On a high risk, it blocks access.

Next-Generation Firewall

According to Gartner, “next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.”

The most advanced traditional firewalls use a stateful packet filtering model. NGFWs go beyond this by filtering packets based on applications rather than just the traffic context. The application awareness properties allow you to define application-specific rules for security regardless of context. This provides a deeper level and dynamic model of inspection.

NGFWs do all that traditional firewalls can do and more. Major areas in which a next-generation firewall is different from a traditional firewall, apart from application awareness, include:

• • A higher level of stateful inspection,
  • Integrated Intrusion Prevention System (IPS),
  • Deep Packet Inspection (DPI), and
  • Threat Intelligence.

Overall, NGFWs reduce threat detection to a matter of seconds, and they can prevent malware from entering a network. NGFWs can also be integrated with other security systems such as SIEM software, authentication tools, etc. This provides comprehensive network visibility and adaptive management.

Privileged Access Management

Privileged user accounts are high-risk because unauthorized access to them can have far-reaching effects on the organization. These accounts have access to the most confidential information and are prime targets for cyber attackers. According to a survey report published last year, 74% of data breaches involved privileged access credential abuse.

That shows that there is a lot of difference that effective Privileged Access Management (PAM) can bring to the security of an organization, especially when using a Zero Trust approach. PAM includes the secure storage of privileged users’ credentials as well as defines stringent access requirements to privileged accounts. According to Microsoft, the four steps involved in PAM setup are as follows:

• • Prepare. Identify privileged groups.
  • Protect. Set up authentication requirements.
  • Operate. Approved requests get just-in-time access.
  • Monitor. Review auditing, alerts, and reports.

PAM is different from Identity Access Management (IAM), which is concerned with authentication for all users and accounts instead of elevated access. PAM is less of a technology than an approach.

Conclusion

Every organization, big or small, will face cyberattacks at some point in their lifespan. The important question is: how prepared is your organization if one were to happen now? A resilient incident response plan involves the assessment of risks that your organization may be exposed to as well as using the appropriate technologies and systems to mitigate such risks. The speed and efficiency of your organization’s response to cyber threats determine how resilient your cybersecurity is.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.