Years ago cyber security was relatively simple. Back then, monitoring programs were designed for (and perfectly capable of) the detection of threats like worms and viruses. Back then, this type of defense was sufficient, mainly because the attacks themselves were more basic in nature and therefore relatively easy to control. Back then, it was all about protection. Today, it’s more about response. More importantly, it’s about making sure the right cyber security incident response components are in place in order to identify, address and overcome the increasingly complex threats and attacks.
- Observation – This concept basically takes monitoring to a whole new level. In order to combat sophisticated attacks and advanced persistent threats (APTs), security professionals must employ the appropriate tools and technologies to be able to engage in real-time threat detection. This includes round-the-clock oversight of all systems and networks. It’s important to remember that security incidents are not uniform. In order to understand and manage incoming threats, in-depth observation across the entire organization is required.
- Orientation – Once an incident has been identified and adequately observed, the IT team must then orient itself to discern the attack’s context. Simply recognizing that an attack is eminent isn’t enough. IT must also gain insight into the meaning behind that attack. This is often closely tied to what’s happening within the organization, such as the rollout of a new software package or the establishment of a new strategic partnership. The more IT can determine about the reasons behind the attack, the better they will be able to not only mitigate the current incident but also develop a more solid cyber security incident response strategy moving forward.
- Decision – With a clear understanding of the incoming threat and the reasons behind it, the IR team must then move on to the next step of deciding what actions to take. This can be particularly challenging, especially in organizations with complex hierarchies, because it often requires quick action based on executive input. Furthermore, all decisions must be documented and defensible. Those who are working on the front line need access to information in a timely and efficient manner if they are to take the appropriate steps to thwart an attack and mitigate damages. This is one area where organizations must take a proactive approach to avoid bottlenecks and costly delays.
- Action – Lastly, the corresponding action must be taken to extinguish the threat and limit the amount of damages that it could potentially cause. Because incidents vary greatly in complexity and context, the cyber security incident response team will require broad access to the entire network. Ongoing training and routine security audits can help prevent issues from occurring due to this increased access. The use of best practices based on past documented incidents can also create a more effective response strategy.
Of course, all of these things are important. Unfortunately, few if any organizations are capable of handling this task without the assistance of technology. After all, the criminals behind these attacks are doing the same. Automation can be the glue that holds everything together and facilitates a stronger and more seamless cyber security incident response plan. With automated IR, all incoming threats are instantly detected (observed) and analyzed (oriented). Based on this information, the appropriate steps (decisions) are automatically set into motion (action). Best of all, this can all be done with little to no human input, and it’s available 24/7/365.