Second in a three-part series based on the CyberRisk Alliance/Exterro eBook Incident Response for a Remote World.
In the previous post, we explained why organizations need to adapt their traditional incident response (IR) methods to fit a hybrid and remote work environment. Now it’s time to explore how they can achieve this task.
Perhaps the most important thing to do initially when adapting IR strategies to the new hybrid environment is to thoroughly understand this environment. To maintain comprehensive visibility into an increasingly complex and distributed infrastructure, security and IT teams need to know what it is they are trying to defend.
That means working closely with colleagues in infrastructure and operations leadership to better understand:
- Where critical data is stored,
- What protections are currently in place to protect the data, and
- Who has access to networks, systems, and data.
By understanding how the attack surface has changed and expanded, security leaders and teams can adjust their approach as needed to address new or growing areas of risk.
Another good practice is to have playbooks available for the most common breach scenarios, and to test those scenarios often via technical and executive tabletop exercises. Given how the threats are constantly evolving, it’s important for teams to be prepared for whatever might come in terms of attacks.
As for technology solutions, companies can deploy tools and services that are designed to provide effective IR in remote environments. Tools that are available in the market today allow security teams to respond to incidents without the need for direct network connectivity. This is accomplished by placing agents on client devices, for example, so that when an incident occurs the security team can connect with an affected device over the Internet to remediate the incident remotely.
If a device is connected to the Internet, the security team can perform IR on the device using IR tools, which is important because oftentimes employees might not have their VPNs operational while they are working from home or from another remote site.
These tools can also collect data from off-network remote devices, eliminating the need to send the devices to the security team for in-person analysis and fixes. The data that’s collected is securely transmitted to validated servers, and security analysts can investigate incidents by scanning for indicators of compromise (IOCs).
Modern security tools should also deliver automation, which is becoming a critical component of many aspects of cyber security. Automation can certainly be applied to IR. The growing threat landscape means there are higher volumes of incidents occurring. And because IR teams are not growing as fast as the volumes of incidents, teams must automate responses or risk falling behind.
Organizations need to invest in security orchestration and automated response technologies and deploy these to automate incident detection, response, and mitigation. Many of them lack this capability today and given the ongoing cyber security skills shortage and the rising sophistication of threats, the need for automating security processes is greater than ever.
Security teams should make sure devices are managed before granting access to data. And the security operations center (SOC) should be capable of ingesting and correlating data to alert the security team quickly of any potentially malicious activity.
These are just a few of the steps organizations and their security teams can take to adapt IR for the new realities of work and business.
There is no turning back at this point; the pandemic has forever changed workforce models at many organizations worldwide. Today, hybrid and remote work arrangements are the norm.