A successful response to a cybersecurity crisis scenario requires having a central integration hub where incidents are managed by security operations teams. This integrated crisis management capability is a must-have for when alerts are necessary to escalate to a cross-organizational response.
Sure, you can train for these situations with tabletop exercises or well-baked proactive incident response strategies, but like any crisis, nothing is like the real thing. Each situation varies depending upon technical factors such as:
1) Threat type (e.g. a response to ransomware vs. an insider threat)
2) Attack stage (e.g. this just surfaced from an EDR alert vs. this is a persistent threat that has long since passed the data exfiltration stage)
3) Impact assessment (e.g. theft of our most critical intellectual property has likely occurred vs. this is an isolated endpoint that has no critical IP on it, but malware spread is possible)
While these factors will change the technical tactics you turn to, a successful crisis response strategy will include the following general measures of success for those serious about taking command during a crisis.
How quickly does your team transition from a normal alert to crisis? How quickly is a threat assessment completed? How long does it take to loop in both the internal – and potentially external – response team?
How does the team know what to do and who does what? Is everyone logging their activities, flagging forensic discoveries, and sharing related events? Is the sequence of activities clearly laid out to avoid overlapping effort?
Is the assembled team on the same page and collaborating? Is everyone aware of the existing indicators of compromise, endpoint and user telemetry, and research already done, and in sync on a response strategy? Where does everyone chat and share data?
How does the case officially close? Was each requirement met, and does there need to be any more decisions made? Is each business unit or stakeholder (e.g. legal, public relations, senior executives) given the actionable information they need from a response standpoint?
The Siemplify Command Center as a Crisis Management Hub
The Siemplify Command Center was purpose built for integrated crisis management. It allows enterprise and MSSP security teams to escalate an alert to a “crisis” and rally a cross-functional response team in minutes. For MSSP users, this means inviting your customers into a case to keep their security team – and their collaborators – on the same page. For enterprise users, this means direct collaboration across your organization, whether it be the legal department, a PR agency, or senior executives.
Once all collaborators are on an incident, the Command Center comes equipped with a range of capabilities to foster speed, action, collaboration and resolution. This includes a workstation for incident analysis, data consolidation, task management, and file sharing. Reports can be generated in a few clicks to prepare for briefings, while secure chat sessions are available to discuss incident actions and ultimate resolution.
Living up to being “powerfully simple,” the Siemplify Command Center is yet another feature that makes security operations teams more efficient and effective. See it in action by watching the video below. Or you can connect with our experts by clicking here.
Dane Disimino is director of product marketing at Siemplify.