In order to get back on track from the ongoing pandemic, organizations have to take into account a completely altered reality, which is very different from what we’ve been taught so far. Many companies have restructured their business continuity plans to stay afloat during this unprecedented time. Many of these measures are not only point-in-time responses to the current crisis but are also expected to continue after COVID-19. With accelerated digitization across businesses, cyberattacks are becoming more sophisticated, precise, and targeted than ever before. To this, add the sheer volume of security alerts and false positives; it’s like searching for a needle in a haystack. The IT team is suffering from burnout, leaving organizations with hulking security risks and corresponding financial risks.
By Satya Machiraju, VP, Information Security, Whatfix
The threat of cybercrime is ever increasing and is having a significant impact on enterprises. To protect against cyberattacks, companies need to get back to the basics of security by design and integrating cybersecurity into their entire system life cycle. Almost every organization nowadays is vulnerable to being breached, whether it is due to its own security weaknesses or the weaknesses of its critical suppliers. Because of this, digital platforms need to be treated as critical infrastructure – a centralized mechanism for detecting and responding to security incidents should be put in place. If data or functionality are lost, it can be crippling, regardless of the threats. Having an incident response plan and disaster recovery plan allows you to minimize risks and prepare for a variety of events.
What is an Incident Response Team?
Incident response teams, also called incident response units, plan for and respond to IT incidents, such as cyberattacks, system failures, and data breaches. Additionally, these teams can develop incident response plans, identify and resolve system vulnerabilities, enforce security policies, and evaluate security best practices.
An organization’s incident response teams should be made up of subject matter experts from various domains/departments with reasonable authority and expertise to respond to an incident as soon as it is noticed. Organizations with an incident response team are able to handle incidents in a structured manner. Documenting and testing an incident response plan allows an organization to respond and recover from an incident faster, with minimal impact on its customers and stakeholders.
Incident Response Team: A Blueprint for Success
An average company generates around 30 GB of security log data that is close to 30,000,000 events per day. Almost all security operations teams find it challenging to separate the “Wheat from the Chaff” and thereby not being able to connect the dots to identify the critical chain of events resulting in breaches going undetected or not responded immediately. This is primarily owing to too many error-prone manual processes, lacking the highly skilled talent to solve all of this, and the inability of a human to crunch or process large chunks of data.
Automating incident response enables the security operations team to let tools or systems address the known issues with known resolutions. This allows them to focus on more critical issues or enhancements of the business. There are various commercial and open-source SOAR (Security Orchestration, Automation and Response) solutions that help the security teams in their journey towards automation.
SOAR is typically a collection of software solutions or tools that allow security teams to streamline security operations in threat and vulnerability management, incident detection and response, and security operations automation. SOAR allows security teams to collect threat-related data from a range of sources and automate the responses to the threat.
Building an Effective Incident Response Plan
In every industry, data breaches have become an inevitable part of doing business. For organizations to minimize damage, while also reducing costs and recovery times, it is important to have incident response plans in place. The use of incident response plans allows organizations to respond quickly and effectively to security incidents. In order to respond quickly to cyber incidents, organizations must develop a proactive and responsive set of capabilities as part of their incident response plans. The basic process could be summarized as follows:
- Establish an Incident Response team
- Identify your assets and crown jewels
- Identify the threat vectors associated with your assets and crown jewels
- Implement monitoring capabilities to identify the threats/attempts
- Document your threat response guidelines
- Document the incident communication processes
- Train employees to be vigilant, to alert stakeholders
- Test the Incident response plan
- Document the learnings
- Incorporate the learnings
An incident could have implications from legal, regulatory, privacy, and contractual perspective too. An inadequate or incorrect approach in handling an incident could have serious ramifications in the aforesaid areas. Having a team responsible for incident detection and response helps organizations and the workforce to be able to consult the subject matter experts for any specific suspicious activity thereby ensuring that immediate action is taken. The incident response team can also ensure that the response to suspicious activity or a breach is performed in line with the Incident response plan and would be able to address any situation that is not captured in the plan.
Securing the Digital Workforce
As a result of a mostly or entirely remote workforce, organizations are more susceptible to security breaches and less able to respond to potential security incidents. A remote workforce incident can be effectively handled by identifying the impacts, updating the incident response plan, and communicating the new plan with the incident response team. In light of increasing cyberattacks that threaten business operations and reputation, developing an effective Cyber Incident Response Plan (CIR) becomes essential for organizations to stay on top of the cybersecurity curve.
About the Author
Satya Machiraju is the VP of Information Security at Whatfix. Satya leads Whatfix’s security team by developing and deploying processes and solutions to minimize and mitigate cybersecurity and regulatory compliance risks. Satya is based in India and is passionate about protecting customers’ information, as well as creating a culture of cybersecurity preparedness across Whatfix by putting “security first.”
Satya brings over two decades of experience in cloud security and architecture, global cyber security and enterprise risk management, regulatory compliance consulting, information security strategy consulting, IT governance and project management, vendor and partner risk management, and privacy and regulatory compliance. Prior to Whatfix, Satya was VP/CISO at Qualfon, Senior Director of Information Security at 7.ai, and Senior Manager of Information Security at Aditya Birla Minacs Worldwide, Ltd.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.