Issue link: https://insights.oneneck.com/i/1517358
Enhancing Your Response Capabilities Fortra.com 7 Key Pillars for Effective Response 1. Detection Strength: The underpinning of an effective response strategy is broad detection. This requires a broad log ingestion ecosystem, allowing for the appropriate depth of data and breadth of sources to detect across the entire kill chain. Outcomes then can scale through analytics while implementing advanced technologies (e.g., machine learning and building extensions) through API-based connections. Visibility into pre- and post-breach environments, analyzing data, and producing insights across the IT estate are critical to enable response actions spanning network, endpoint, and cloud environments. Various data sources also are necessary during forensics to complete the picture of an attack. 2. Broad Response Coverage: Discover ingress and egress points. An organization's IT estate is dynamic, but the constants always will include endpoints (client and server), network (firewall, WAF), cloud (AWS, Azure, GCP), and identity (Active Directory, SSO). These are a sampling of sources for telemetry data which are key to detecting incidents. However, they also represent the targets where the response action will occur to minimize the damage of a detected breach. An effective response strategy should include a policy update applied at the endpoints, network edge, and cloud service provider. 3. Risk Profile: Consider the value of an asset and type of attack. A revenue-generating asset, such as an e-commerce server, will have a different response than a non-critical asset, like a print server. To understand the type of attack against an asset, ensure you have access to the security content detail provided in an actionable way, including analytics content and configuration requirements. As your IT estate grows in size and complexity, the ability to classify assets with similar criteria to apply the response actions is imperative. Failure to do so will result in significant management challenges. 4. User Experience: Your solution should allow for configurable response workflows. This solution should invoke the optimal balance of process automation and human interaction to address your evolving security requirements. Resource-gapped organizations may not be able to respond to every incident nor want everything automated as this can have adverse effects. The ideal scenario is to automate actions based on circumstances such as an organization's risk tolerance, skillset, and headcount. Some prefer a simplified experience with a sage to guide them in the playbook creation process. Consequently, more sophisticated users may prefer fully customized playbooks. 5. Actions Taken: Recognize that effective response is often a blend of multiple actions. Prioritization changes based on variables such as incident type, asset criticality, and desired outcomes. The blend should consist of: • Notification — Inform appropriate responders of the security incident with sufficient detail to allow for decision-making. • Containment — Limit access of the compromised entity, which may include limiting system services, restricting network access and egress, or reducing user roles and privileges. • Elimination — Disrupt the attack and block access to the vulnerable service. In most cases, there will be a notification prompting security teams to further investigate and execute the recommended remediation steps. Steps may include revising a policy or change control, updating a misconfigured service, or applying patches to affected systems. " Responding effectively to security events means that responses are tailored to each threat, system, and execution environment, as well as to compliance and regulatory requirements, customer obligations, and the organization's overall risk appetite. " Practical Requirements for Responding to Cyberthreats with MDR, 451 Research, S&P Global Market Intelligence, Pathfinder Report, 2021 Page 2