Recently I heard someone say that Incident Response (IR) was a “reactive” service. The cyber security equivalent of chasing after the bolting horse. Now, at a stretch that would have been true(ish) a few years back, but IR really has evolved for the better. SecureLink have a range of IR services that sit in both the proactive and reactive camps. It’s the proactive consultancy work that tends to generate the most questions from clients. The most frequently asked of all: “What should we be doing to improve our IR?”. The list is rather long, but there are some basics that anyone can do:
First up, you need an incident response plan (IRP), and unlike a lot of things, something is not always better than nothing. A bad IRP can confuse people, and prolong an incident as much or more than having no IRP at all. Unlike your CV, just downloading the first template from Google and changing the name won’t help! Yes there are some key things an IRP needs, but the majority of IRP’s written at SecureLink are bespoke. It is only when you really tailor an IRP to your business and its needs that you get the full benefit.
Secondly, you need well trained staff. Both within IT security teams, and the wider work force. With a little training your entire organisation can become a line of defence against the nefarious attackers that lurk in all corners of the web. Reporting phishing emails and possible breaches quicker than your SIEM can say automated alert. With the right reporting policy in place this can be a life saver. Combine that with your IT Security staff training, and you are on to a winner. IT staff that can act as first responders can reduce your incident costs, and make learning from and fixing issues easier. We work with some organisations that handled low impact incidents totally in house, the only way to do that with confidence is with regular IR training.
Third and finally, you will require a well implemented IT Security frame work. I am talking pen tests, network monitoring, build reviews, Anti-virus and patched systems. Why do we want this? Us IR folks are fame hungry and want to work on the cool stuff that gets the infosec rock stars on Twitter twitching. We don’t want to have to constantly deal with ransomware outbreaks and script kiddy stuff. Doing the basics well, drastically reduces the small annoying incidents, so you can concentrate on the sophisticated smart stuff. Basically if you are proactive with the easy stuff, we can work with you to help you be reactive to the sexy zero day stuff. In the long run this will save you lots of money.
Obviously this isn’t a comprehensive list, but it is a great starting point. To any CISO sat reading this thinking “we have none of that”, don’t panic, help is at hand. Crafting an IRP or a training plan for clients is the mainstay of our IR consultancy service. We work with clients over weeks to try and map out the safest and quickest way to remediate an incident, and then learn from it. One of the great things about SecureLink helping out on your IRP is that you can learn from other people’s mistakes too. We can share do’s and don’t’s that we only know through looking at hundreds of plans. In short, yes if you are unlucky and get attacked we can help, but we can also help you plan for the unlucky.
To read more about our incident response services, go to our SecureResponse page.