At the beginning of this year, we predicted optimization would be a top priority for IT and security teams around the globe. Not just from a cost perspective (although with fears of a recession, cost optimization was certainly top of mind), but from an overall resources perspective. Were IT and security leaders using their teams wisely, and were their teams getting the full value out of the security tools they had purchased?
This sentiment was felt even more acutely in the realm of incident response – and for good reason. No cybersecurity team wants to deal with a catastrophic incident. These stats from IBM highlight the impact:
- The average time to contain a breach takes 277 days.
- 52% of breaches involve personally identifiable information.
- The average data breach costs $4.9M to recover.
Fortunately, IR teams that are proactive and have incident response plans in place for when their systems are attacked fare far better than teams that do not. And incorporating a cybersecurity asset management solution within that plan makes it much simpler to follow the digital breadcrumbs cyber incidents create. By adopting the right incident response solution and preparing your teams before an incident occurs, you can help keep your organization safe. Let’s explore the tools, processes, and people resources you need to stay protected.
Optimizing your security tools and solutions
You likely already have a variety of incident response tools in your environment to help you prevent incidents - from endpoint management to endpoint protection and VA tools. But what happens after an incident occurs? These tools can still help, but they can't give you comprehensive visibility into all of your assets.
That’s why teams invest in cyber asset attack surface management solutions. By gaining comprehensive, real-time visibility into assets, IR teams can easily look across their digital infrastructure, learn the complex relationship between assets, and quickly remediate security issues. And when combined with Endpoint Detection and Response (EDR), Endpoint Protection (EPP), and vulnerability scanning solutions, IR teams get a holistic view of each unique asset, allowing them to better manage and prioritize vulnerabilities efficiently.
Getting the most out of your tools and shortening incident response investigations requires rich, correlated data to understand incidents related to devices, users, software, SaaS applications, and cloud services. Then, you can conduct asset investigations that quickly show you the changes in an asset over time, reducing the need for tedious data analysis.
Optimizing your processes
After making sure your tools can give you the info you need to mitigate an incident, it’s time to create clear processes around how your teams will respond. According to IBM, organizations with dedicated IR teams, plans and testing processes identified breaches 54 days faster than those with neither.
By making checklists, templates, and documented plans, leaders have a detailed guide for how to efficiently respond to incidents and don’t have to scramble to come up with a plan when an attack occurs. Since Incident Response Coordinators are in charge of how the organization will handle a cybersecurity incident, checklists, templates, and documented plans are key when an attack occurs. When you create an incident response template, it ensures that coordinators know what questions to ask other teammates involved with response tasks.
High-level questions include:
- What happened and when?
- What was the root cause?
- What remains to be done?
- What lessons can be learned?
- What are the remaining action items?
Here is an example of a report template for cybersecurity and privacy incident response developed by Axonius CISO Lenny Zeltser and his internal team that will help you empower the response team as they respond to the incident.
Optimizing your people
Finally, your tools and processes are nothing without the experts who know how to optimize them. It’s imperative that you have people on your team who have the right incident response skills and expertise.
It’s up to IR staff to have a deep understanding of business needs and to keep their remediation actions in line with these goals. This job function can result in high burnout, especially if incident responders don’t yet have the right business and technical skills. These include:
- Essential business skills like communication and collaboration. IR staff must be able to work with other team members to share workloads and information. Incident responders should also be able to solve problems creatively and persistently.
- Essential technical skills like investigation and analysis are also imperative. Incident responders must be highly skilled at investigating and analyzing incidents and treat the process as a fact-finding mission. Incident responders will also benefit greatly from forensics and the ability to find artifacts, identify intruder techniques, and determine the root causes of an incident.
Building these skills takes time and effort, so ensuring your employees have the bandwidth and space to take on these challenges is crucial. Automation helps eliminate manual and tedious processes, allowing responders to prioritize what matters and be proactive in their incident response actions. When every second matters, it’s important to give your teams the skills to not just speed up incident response, but focus on strategic initiatives and deliver ROI.
Hear from Axonius CISO Lenny Zeltser on why centralized data, assigned responsibilities, checklists, and thorough communication are such essential pieces to the incident response puzzle.
Gain a better understanding of the threats IT and security leaders are facing and how they're optimizing their resources in response by downloading our ebook, “Navigating the IT and Security Resource Paradox: How Organizations Are Addressing Real and Perceived Challenges.”