Is Your Cyber Security Incident Response Plan Really Up to Par?

Is Your Cyber Security Incident Response Plan Really Up to Par?Unfortunately, today’s IT professionals know all too well that we live in a “when, not if” world of cyber-security threats. With attacks becoming more and more sophisticated, complex and effective, and the ongoing, relentless persistence of would-be hackers, no organization is safe from becoming a potential target. If you haven’t assessed the status of your cyber security incident response strategy lately, chances are you are more vulnerable than you may think.

Application and Software Security

Like it or not, every single piece of software out there has some type of vulnerability. What’s more, many of these potential risk factors have never even been tested. It’s only a matter of time before these dangers are discovered and exploited by cyber-criminals. So what can you do? Simple. Take a defensive stance and a proactive approach using automation as your foundation for security. That way as soon as an incident occurs, it can be automatically and instantly addressed.

Data Enrichment Capabilities

When a cyber-attack occurs, there’s plenty of information that will inevitably be generated about the incident. To truly protect against these damages, IT personnel need much more than just basic incident data. They must also collect and analyze relevant information about the context of the incident, as well as its legitimacy and severity. By leveraging automation as part of a comprehensive cyber security incident response strategy, valuable data can be correlated from multiple systems and instantly evaluated, categorized and prioritized.

Saving Time and Money

Most experienced IT pros will tell you that they spend the majority of their time not addressing the overall big-picture of cyber-attacks, but rather putting out fires and managing internal issues. Not only is this extremely time consuming, but it’s also a waste of valuable money. Incorporating automation into the cyber security incident response strategy reduces IT department workload by eliminating the need for personnel to respond to weaknesses manually.

Furthermore, response times are dramatically decreased, as are the costs associated with securing systems and networks while simultaneously enabling more scalable, effective incident responses. It also helps to streamline compliance efforts.

Staying a Step Ahead

The best way to thwart would-be cyber-attacks is to prepare for them ahead of time. With the right automation tool, part of an organization’s cyber security incident response plan can include the identification and development of “what if” scenarios and the subsequent cultivation of IT security best practices and pre-defined remediation procedures. By planning ahead, your company will be much better positioned to ward off attacks and minimize any damages suffered as a result of successful infiltrations. Essentially, automation allows you to fight fire with fire, drastically decreasing the potential risks associated with cyber security incidents.

If you haven’t conducted an audit of your cyber security incident response strategy any time recently, chances are you are ripe to become a target in the near future. Protect your business, your sensitive data and your precious reputation by investing in a solid incident response plan that has automation as its foundation.

Don’t wait until it’s too late! Get started today by downloading your free 30 day trial of eyeShare.

eBook: 5 Reasons You Should Automate Cyber Security Incident Response

Cyber Security Incident Response? 4 Steps to Success…

Cyber security incident response: 4 steps to successIt never hurts to go back to basics. Recently, we were surprised at the confusion of some organizations about the process of cyber security incident response, so we thought – why not to put a quick incident management primer down on paper?

For successful incident management, first you need a process – repeatable sequence of steps and procedures. Such a process may include four broad categories of steps: detection, diagnosis, repair, and recovery.

1 – Detection

Identification Problem identification can be handled using different tools. For instance, infrastructure monitoring tools help identify specific resource utilization issues, such as disk space, memory, CPU, etc.  End user experience tools can mimic user behavior and identify users’ POV problems such as response time and service availability. Last but not least, domain-specific tools enable detecting problems within specific environments or applications, such as a database or an ERP system.

On the other hand, users can help you detect unknown problems that are not reported by infrastructure or user behavior monitoring tools. The drawback with problem detection by users is that it usually happens late (the problem is already there), moreover the symptoms reported may lead you to point to the wrong direction.

So which method should you use? Depending on your environment, the usage of the combination of multiple methods and tools would be the best solution. Unfortunately, no single tool will enable detecting all problems.

Logging events will allow you to trace them at any point to improve your process. Properly logged incidents will help you investigate past trends and identify problems (repeating incidents from the same kind), as well as to investigate ownership taking and responsibility.

Classification of events lets you categorize data for reporting and analysis purposes, so you know whether an event relates to hardware, software, service, etc. It is recommended to have no more than 5 levels of classification; otherwise it can get very confusing. You can start the top level with something like Hardware / Software / Service, or Problem / Service request.

Prioritization lets you determine the order in which the events should be handled and how to assign your resources. Prioritization of events requires a longer discussion, but be aware that you need to consider impact, urgency, and risk. Consider the impact as critical when a large group of users are unable to use a specific service. Consider the urgency as high when the impacted service is of critical nature and any downtime is affecting the business itself.

The third factor, the risk, should be considered when the incident has not yet occurred, but has a high potential to happen, for example, a scenario in which the data center’s temperature is quickly rising due to an air conditioning malfunction. The result of a crashing data center is countless services going down, so in this case the risk is enormous, and the cyber security incident response should be handled at the highest priority.

2 – Diagnosis

Diagnosis is where you figure out the source of the problem and how it can be fixed. This stage includes investigation and escalation.

Investigation is probably one of the most difficult parts of the process. In fact, some argue that when resolving IT problems, 80% of the time is spent on root cause analysis vs. 20% that is spent on problem fixing. With more straightforward problems, Runbook procedures may be very helpful to accelerate an investigation, as they outline troubleshooting steps in a methodical way.

Runbook tip: The most crucial part of the runbook is the troubleshooting steps. They should be written by an expert, and be detailed enough so every team member can follow them quickly. Write all your runbooks using the same format, and insist on using the same terms in all of them. New team members who are not familiar yet with every system will be able to navigate through the troubleshooting steps much more easily.

Following the runbook can be very time consuming and lengthen the recovery time immensely. Instead, consider automating the diagnostic steps by using run book automation software. If you build the flow cleverly and weigh in all the steps that lead to a conclusion, automating the diagnostics process will give you quick answers, and help you decide what your next step is.

Escalation procedures are needed in cases when the incident needs to be resolved by a higher support level.

3 – Repair

The repair step, well… it fixes the problem. This may sometimes involve a gradual process, where a temporary fix or workaround is implemented primarily to bring back a service quickly.  Cyber security incident response may involve anything from a service restart, a hardware replacement, or even a complex software code change. Note that successful cyber security incident response does not mean that the issue won’t recur, but more on that issue in the next step.

 In this case too, straightforward repairs such as a service restart ,a disk cleanup and others can be automated.

4 – Recovery

The recovery phase involves two parts: closure and prevention.

Closure means handling any notifications previously sent to users about the problem or escalation alerts, where you are now notified about the problem resolution. Moreover closure also entails the final closure of the problems in your logging system.

Prevention relates to the activities you take, if possible, to prevent a single incident from occurring again in the future and therefore becoming a problem. Implement two important tools to help you in this task:

RCA process (Root Cause Analysis) The purpose of the RCA process is to investigate what was the root cause that led to the service downtime. It is important to mention that the RCA process should be performed by the service owners, who are not necessarily the ones who solved the specific incident. This is an additional reason why incident logging is so important – the information in the ticket is crucial for this investigation process.

And finally, Incident reports – while this report will not prevent the problem from occurring again, it will allow you to continually learn and improve your cyber security incident response process.

eBook: 5 Reasons You Should Automate Cyber Security Incident Response

Cyber Security Incident Response – Zero-Day Linux Flaw Demonstrates Need Now More than Ever

Zero-Day Linux Flaw Demonstrates Need for Cyber Security Incident ResponseThe recent discovery of a long-standing critical flaw in the Linux kernel has potentially left millions of end-users vulnerable to a cyber-attack. While the discovery of the flaw was recent, it turns out the vulnerability has actually been present in the code since as early as 2012. This means that for approximately 4 years, attackers have had the ability to gain privileges on affected devices. This serves as another candid reminder of the critical importance of a quality cyber security incident response strategy.

The number of devices that could potentially be impacted by this recent flaw could stretch into the tens of millions, since it affects any operating system that has Linux kernel 3.8 or higher, including both 32-bit as well as 64-bit. Of even greater concern, however, is that it also affects Android versions KitKat and above, which indicates that nearly 66% of all Android devices are currently exposed to the critical flaw.

So, what, exactly is the impact of the newly discovered zero-day Linux flaw? Well, for starters, local access on any Linux server is all that a would-be attacker would need in order to exploit the problem. If successful, the attacker would be able to gain root access to the end-user’s operating system, enabling them to view private information, delete files and install additional malicious applications.

One of the reasons this breach is so newsworthy is because flaws in Linux kernel are typically patched immediately upon detection. For this reason, Linux-based operating systems have long been considered to be among the most secure. The zero-day vulnerability has been present for almost 4 years, leaving any individual or business that uses a Linux server exposed to potential cyber-attacks.

The good news is, the Linux team is now aware of the issue and has made assurances that a patch is in the works. It also doesn’t appear that any would-be hackers have yet attempted to take advantage of the flaw. What this does point out, however, (with glaring obviousness) is yet again how incredibly critical it is to have an adequate cyber security incident response plan in place.

Too often businesses in particular account for only one piece of the security puzzle. They invest tens to hundreds of thousands of dollars into monitoring systems, assuming that this alone will be enough to keep them ahead of potential attacks. Unfortunately, given the fact that these monitoring systems must be manned by humans, coupled with the volume and complexity of incoming threats, the chance of a serious attack being missed is alarmingly high. This is precisely what occurred in the Target breach of a few years ago.

The solution to this dilemma is fortifying the cyber-security incident response strategy with an automation tool. This removes the human element from the process. Technology can then handle the daunting task of assessing, verifying and prioritizing every legitimate threat that comes in. The automated tool will then execute the appropriate next steps, right through the final resolution, completing the process and closing the loop.

Thankfully this particular flaw was identified and addressed by one of the “good guys,” but make no mistake – had it been discovered by an attacker first, the outcome would have been potentially devastating. Like it or not, we are all at risk of a potential cyber-attack, especially businesses. Taking a proactive approach by developing, implementing and solidifying a strong cyber security incident response plan is absolutely critical in order to keep systems – and all the important sensitive data contained within – safe from a potential breach.

Is your cyber security strategy as strong as it should be? If you’re not absolutely confident that it is, the time to act is now, before you fall victim to an online attack. To start your free 30 day trial, click here.

eBook: 5 Reasons You Should Automate Cyber Security Incident Response

How the Right Cyber Security Incident Response Strategy Can Help Mitigate Damages

How the Right Cyber Security Incident Response Strategy Can Help Mitigate Damages2016 is barely off to its start and cyber-attackers are already proving what many believe to be the most dangerous year yet. Just a few days into the New Year, the signature Web Attack: Mass Injection Website 19 began registering significant spikes. This particular signature is used to detect incidents in which a hidden script is present within a compromised website. When a user browses said website, the script which redirects the user to a website that hosts malicious code is triggered. An automated cyber security incident response strategy could mean the difference between a mere blip and a potentially huge impact.

Nobody is Immune

One of the most disturbing revelations from this latest cyber security event is the fact that not only did it impact thousands of websites in multiple geographic locations, but that many of those sites were among those people believe to be the most secure. For instance, a number of websites that were found to have been injected with the malicious script code, many were government sites as well as those ending in .edu. Prominent business sites were also among the targets of the attack.

What this demonstrates is that nobody is 100% safe from a security threat. The key is having the right cyber security incident response plan in place to help identify incidents as soon as they occur, before they have time to wreak havoc.

The Potential for Damages

While in this specific case there do not appear to have been any malicious downloads associated with this particular injection attack, that’s not to say that it’s not of significant concern. That’s because the attack is believed to be a possible act of reconnaissance in an attempt to learn more about users. The information gathered could very well be used in a future attack, which could include anything from SEO poisoning and the delivery of malware to compromised and unprotected users.

Automation = Mitigation

It’s important to point out that there is no way to truly prevent or avoid every potential attack that could occur. As criminals are becoming savvier, their attempts are becoming equally sophisticated. The best course of action is to develop and implement a cyber security incident response strategy that is comprehensive enough to help identify potential attacks immediately. Automation is critical to this process, as it allows round-the-clock surveillance and instant, automatic remediation.

By incorporating tools like IT process automation into your cyber security incident response plan, every single incident that could potentially be a threat is immediately identified and assessed behind the scenes to determine its validity and severity. The information gleaned from this evaluation is then used to determine the next steps in the process, whether it’s to execute a particular response automatically or to escalate the issue to be handled by the appropriate party. Notification can be set up to go out via email or SMS.

Even though cyber-attacks cannot always be completely prevented, having such a robust strategy in place allows for a more swift and effective response. This reduces the impact of an attack and subsequently allows for the mitigation of damages. For instance, instead of having to track back and identify the cause of a system outage, a process that could take hours or even days, the right cyber security incident response strategy will pinpoint the problem and help you reduce downtime significantly.

Does your security plan have what it takes to address the changing complexities of cyber-attacks? Don’t become the next victim.

Protect your business and your sensitive data by investing in automation. Download your free 30 day trial to get started right away.

eBook: 5 Reasons You Should Automate Cyber Security Incident Response

Webinar: How to Turbo Charge Your Cyber Security Incident Response Strategy

cyber security incident response webinar CTAIs your cyber security incident response plan truly strong enough to keep your organization’s sensitive data safe from falling into the wrong hands? With cyber-criminals becoming more sophisticated by the day and their efforts multiplying at an alarming rate, no business is safe. More importantly, without the right technological tools, your IT department cannot adequately safeguard information, which means increased vulnerability and immeasurable potential loss.

What if there was a way that you could fortify your security strategy to make catching potential threats easier, more affordable and more efficient? Great news – there is! Automation can be leveraged as a force multiplier for your CSIRT (Computer Security Incident Response Team), making your data, and your organization, much safer from would-be criminals. And while no plan can ever fully eliminate risk, the more you proactively strengthen your approach, the more you can mitigate any potential damages.

Want to learn more? Join us Wednesday, February 24th, 2016 at 12pm EST / 9am PST for a free webinar entitled “How to Turbo Charge Your Cyber Security Incident Response Strategy with Automation”. This informative presentation will delve in-depth into a number of helpful topics, including several compelling reasons why you should automate cyber security incident response as well as how to deal with several concerns associated with automated incident response.

We will also demonstrate a real-life scenario of this type of automation so you can witness it firsthand.

If you’d like to prevent your organization from becoming the next victim of a cyber-attack, this webinar is an absolute must attend.

Space is limited, so be sure to reserve your spot right away. Click here to sign up now!


Automation of Cyber Security Incident Response: What You Need to Know

Automation of Cyber Security Incident Response: What You Need to KnowThese days, it seems there’s a high profile security breach in the news almost daily. The truth is, cyber-attacks happen to businesses of every size, shape and industry and just because the story may not make the news, the ramifications can be nothing short of devastating. Organizations are under increasing pressure to ensure that when (not if) an attack occurs, they are fully prepared to respond swiftly and effectively to mitigate any potential damages. Let’s take a look at the role automation can and should play in your cyber security incident response strategy.

Without automation, monitoring and managing incidents is up to IT personnel – a team that is most likely already overworked and completely overwhelmed. Given the enhanced sophistication and ever-increasing number of today’s attacks, and the budgetary restraints most organizations are under which limits their staffing potential, the results of a breach could be catastrophic. Here are just a few of the problems that can arise when cyber security incident response is handled manually:

  • Difficulty keeping up with volume of incoming threats
  • Errors due to miscommunication and confusion
  • Lack of adequate, real-time visibility
  • Inexperience with significant and/or high-pressure events
  • Missed or delayed response
  • Increased expenses

The larger the organization, the greater the risk, as the number and complexity of incoming incidents are naturally higher. Still, even small to mid-sized companies must be vigilant about protecting their assets from a potential virtual attack. Hiring additional staff is typically not an option, and as seen in the list above, even when staffing levels are adequate, human error can be a real issue. That’s why automation is so effective.

The fact is, cyber criminals do not discriminate. Your staffing woes or lack of adequate protection could make you a prime target for an attack. Do you have a plan in place? By incorporating automation into your cyber security incident response strategy, you remove the human element from the equation. Not only does this dramatically speed up the process, but it also eliminates the risk of costly human error.

From a reactive standpoint, the moment a potential incident is detected, your automated system will immediately identify and evaluate it for legitimacy and severity. This process will occur each and every time a threat comes in, even if there are thousands a day – something human personnel simply cannot handle. Depending on the outcome of each threat’s analysis, the system will then automatically trigger the appropriate response.

To address the limitations of traditional, manual cyber security incident response, automation presents the following quantifiable benefits:

  • Ability to integrate seamlessly with existing systems (SIEM, monitoring programs, malware analysis, etc.)
  • Reduces risk of any threats slipping through the cracks
  • Provides real-time visibility and control
  • Ability to automate everything from simple tasks to complex workflows
  • Saves time, money and resources

Furthermore, with the right automation tool, previous incidents can be analyzed by IT leaders to help identify and define best practices going forward. This provides the ability to take a proactive approach to cyber security incident response, which can help prevent certain attacks from occurring in the first place.

Is your business truly prepared for potential cyber incidents?

If you’re not yet leveraging the power of automation in this area, you are most definitely at a greater risk.

Don’t take chances. Download your free trial of eyeShare today.

eBook: 5 Reasons You Should Automate Cyber Security Incident Response