Planning is Vital to a Successful Cyber Incident Response Program

Before embarking on anything new – buying a new house, taking a vacation, getting a new job – you usually start with a plan. You identify the neighborhood you want to live in, decide whether to hit the beach or go skiing, and have an idea of the amount of money you want to make so your efforts have direction. In short you plan your work and then work your plan.

So why isn’t this approach always taken when it comes to cyber incident response? In this post, we will explore why planning matters and the elements that make up the foundation of any solid incident response program.

Cyber Incident Response Plan

Why Do You Need Cyber Incident Response?

Warren Buffett, the Oracle of Omaha, said cyber attacks are a bigger threat to humanity than nuclear weapons. While we aren’t quite to doomsday levels yet, the number of attacks is doubling year over year, which means you’re likely to be in the position of needing to respond to a cyber incident sooner rather than later, if you haven’t had to do so already.

Cyber Incident Response is a Matter of Time

Time is of the essence in responding to a cyber attack, as the threat actor has likely been poking around your network for several weeks or months before your team discovers something is amiss.  The longer a threat actor can go undetected in your environment – also referred to as dwell time – the more damage that can be done to your organization. And while dwell times have been going down steadily each year, threat actors still have the advantage. Average dwell times are anywhere from 49 days or more, whereas a mid-level threat actor can infiltrate a network and exfil data in about a week.

Cyber Incident Response is a Matter of Reputation

Breaches can have a significant impact in the overall perception of a business and its brand. Sixty-five percent of customers affected by a breach lose trust in the organization, with 25% taking their business elsewhere. Your company’s marketing department likely has this at the top of their list of worries, and so should you. Why? Reputation damage almost always has financial implications.

Cyber  Incident Response is a Matter of Money

It’s no secret that breaches are expensive. The total cost of a successful cyber attack is typically in excess of $5 million, though this cost can be much higher. Shipping company Maersk reported losses of about $300 million stemming from the NotPetya attack in 2017.

In some cases, costs associated with breach recovery have more of an impact than the actual attack itself.  The City of Atlanta spent more than $2 million to recover from a ransomware attack that was demanding $52,000.

Initial costs aside, the largest potential financial impact to a business is in lost revenue over time. The majority of consumers say they would stop doing business with an organization if it experienced a data breach and 93% say they would take or consider taking legal action against an enterprise that has been breached.

A good cyber incident response plan can mean the difference between a quick recovery for your organization and long-term damage to your company’s reputation and bottom line.

A Good Cyber Incident Response Strategy Delivers ROI

In order to justify your company’s investment into a comprehensive next-generation cyber incident response strategy, you must be able to prove that keeping up with the latest industry trends and tools is not only a responsible security posture, but that it provides a justifiable ROI.

Consider this: the industry has been providing clients with defense-oriented solutions for the greater part of a decade now, and yet breaches still occur. Many solutions are on their way out or have become obsolete on their own, and it is becoming standard to use a multi-faceted, orchestrated approach with cybersecurity strategies. In other words, building a plan predicated on prevention, detection and response (our main emphasis), is already the new trend. With so many cyber attacks happening to major companies and entities over the past year, solidifying an incident response strategy is more important than ever. With that in mind, and accepting trends in attacks, let’s discuss the 3 bulkheads of a cyber incident response strategy.

1.) Prevention

Prevent infiltrations from happening in the first place. It is easier said than done, but it is still nice to imagine. Even so, you can imagine the multitudes of organizations that regret not taking extra precaution vis a vis preventative measures. As an initial step, a simple education for your employees goes a long way. A lot of these attacks upon employees happen initially through phishing emails, simply because an employee clicks a malicious link left in a communication, with little understanding of potential risks. As a matter of fact, your employees can oftentimes be the proverbial front line against potential threats. This falls under the category of a holistic approach to cyber security strategies, and securing weak links can become a defensible mandate over your overall security culture.

Effectively determining where your points of weakness are, and acting in accordance to them, will help you determine your dependencies, hotspots and the tools you need to understand your cyber threat landscape. Constantly reinforcing and fortifying an existing system is not a long term plan or strategy. Honestly assess what you have now, where your known weak spots are, and from that come up with better preventative measures. And, look at past incidents addressed by your cyber incident response program and feed the learning from those back into your security operations to prevent similar future attacks.

2.) Detection

Risk detection serves as a major facet in any legitimate cyber security strategy. In this step, you are building your theoretical wall that will minimize penetration. Much like tearing down the system from the inside, assessing your points of susceptibility will provide you with an honest, unbiased idea of where you need more work and where your infrastructure is lacking. Some of the best practices to help detect risks includes: Identifying and documenting asset vulnerabilities, internal and external threats, acquiring threat and vulnerability information from external sources, identifying potential business impacts and likelihoods, determining enterprise risk by reviewing threats and identifying and prioritizing risk responses. Only when you have a realistic viewpoint of where your vulnerabilities reside will you be able to rebuild your new detection strategy.

3. ) Response

Incident Response is key. After you have set up the wall of defense, and it is penetrated, you have to be the one armed to the teeth with weapons for response, reporting and remediation. That is why we consider security orchestration and cyber incident response processes the most essential tool in your cybersecurity strategy and security operation. After 10 years of honed in focus on prevention, and day to day analysts inundated with alerts, the industry is finally beginning to rely on next generation response platforms capable of building actionable threat storyline, true alert prioritization and powerful case management. Developing a consistent strategy among your staff and being able to report on the actions taken to remediate the most important alerts is essential.

With so many new methods and angles of attack out in the internet ether, it is difficult to know when your company’s information is fully protected. But, with a coherent, sound cybersecurity strategy, you can decrease the odds of vulnerability. By finding your current system’s vulnerabilities, assessing other potential risks, and orchestrating your existing security tools to maximize visibility, you are strategizing your success and guaranteeing a profitable ROI. Keeping costs to a minimum is key in any industry and certainly in security operations centers across the globe, but by investing in a fully realized, three prong approach to prevention, detection and response, you can increase your odds of success. In the event your security is breached in spite of the first two steps, an adequate and consistent response strategy and platform are essential. All these combined can justify your company’s organized and prioritized investment into a cybersecurity strategy.