Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Strengthen Cybersecurity With These 3 Steps to Rapid Response

Planning for Rapid Response Will Help Ensure You Have a Foundation in Place During Times of Crisis

Planning for Rapid Response Will Help Ensure You Have a Foundation in Place During Times of Crisis

Crises and outbreaks change us and society, with the war against COVID-19 having the most dramatic impact in recent memory. Every aspect of our existence is different, including new ways of working, communicating, conducting business, and taking care of ourselves and our families. The key is learning from these experiences so we can be better prepared for future events.

These extreme changes have escalated another war, a war against cyber threats, with exposure to new cybersecurity risks that threat actors choose to exploit. The line between work and personal devices has blurred with users and usage moving fluidly between them. Personal and business data flows freely across home Wi-Fi networks. When the workday ends, we transition seamlessly to virtual happy hours and binge-watching videos using a growing number of services – further expanding the attack surface. Threat actors are also using novel lures that pull on our fears and inquisitive nature to entice us to click on malicious links or attachments or unwittingly share data that we shouldn’t. It’s a situation that is quickly becoming untenable for many cybersecurity professionals and causing organizations to question their capacity to respond rapidly. 

While serving as a Supreme Allied Commander during WWII, Dwight D. Eisenhower said, “In preparing for battle I have always found that plans are useless, but planning is indispensable.” Planning for rapid response will help ensure you have a foundation in place during times of crisis to work more effectively with your peers to mitigate risk and to answer questions from management about the organization’s resilience to the latest threats. 

I’ve outlined three steps to help you lay the groundwork for rapid response. It’s important to note that these recommendations aren’t specific to COVID-19. Going through this planning process will also improve your ability to respond rapidly to future events – from a new, high-profile, ransomware campaign with global impact to opportunistic cyberattacks triggered by a natural or manmade disaster.

1. Consume. As we’ve seen before with global threats like Wannacry and are seeing now with COVID-19, crises and outbreaks generate a strong uptick in new, disparate sources of threat information. Many commercial threat intelligence providers, governments, open source feeds and frameworks like MITRE ATT&CK provide valuable threat and outbreak-specific data. Becoming aware of these new sources is one thing but being able to consume all that data is another, especially since they are in different formats and may be different types of data than you currently utilize. To make this situation manageable you need a central repository that is prepared to accept these feeds or if they are in non-standard formats can map to them quickly – in minutes or hours. The agility to accept new threat information sources quickly for consumption is at the heart of rapid response. With high quality data aggregated and normalized, you can assess how it may pertain to you and utilize it.

2. Understand. Understanding the data individually provides value, but the real value comes from understanding it in aggregate, including with respect to events and associated indicators from your own internal systems – for example, from your SIEM, log management repository, case management system and security infrastructure. By relating the data to what’s actually happening in your environment, you gain context that makes it tangible. For example, an indicator that is active, high-scoring or cited within the last 24 hours will initiate further investigation, while others may warrant ongoing monitoring and those that are benign can be set aside. A big picture view also allows you to quickly see who else within the organization needs to consume and understand this data – your SOC team, network security team, threat intelligence analysts, threat hunters, forensics and investigations, management, etc. – and share it. 

3. Action. The final step is to enable the data as part of your infrastructure and operations. Quickly sending the appropriate pieces of data to the appropriate tools, systems and controls within your environment will accelerate detection, response and prevention. For example, exporting the data to your existing infrastructure allows those technologies to perform more efficiently and effectively – delivering fewer false positives. You can also use your curated threat intelligence to be anticipatory and prevent attacks in the future – like automatically sending intelligence to your sensor grid (firewalls, IPS/IDS, routers, web and email security, endpoint detection and response (EDR), etc.) to generate and apply updated policies and rules to mitigate risk. 

Advertisement. Scroll to continue reading.

With capabilities to quickly curate and integrate new threat data sources across your operations, you’re prepared for whatever the future brings. You can be confident that your security teams have laid the groundwork for rapid response. You also have a construct for effective communication with management, with capability to provide details about a specific threat and how you are mitigating risk in ways that resonate with business leaders. Planning now for how you will deal with new threats triggered by the next big crisis or outbreak is time well-spent, and an activity that Dwight D. Eisenhower would applaud.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.