Avatar

Anyone who has ever observed or participated in a dance rehearsal is familiar with the count-off cadence, 5, 6, 7, 8.  The same is true of musicians who count at the beginning of a piece, or an athlete awaiting the starting signal. These indicators alert us to the same thing: Be ready NOW.

Cybersecurity has a set of starting signals as well, but they differ in one aspect. In the event of a cybersecurity event, the team responsible for incident response is not the initial actor. Incident response is based on the same readiness as a world-class performer; however, incident responders only start (metaphorically) after the rest of the horses have left the gate. Absent the catalyst, an active responder would be entirely out of place. This makes the cybersecurity professional the second player in a nail-biting competition.

Cybersecurity as a first responder

One could posit that a cybersecurity incident responder is no different than any other first responder, such as a law-enforcement officer, or a firefighter. This is true, but only in a limited sense. As with all things in the virtual realm, the unseen can be much harder to respond to than a physical event. For example, a firefighter has a much easier time locating a fire than a security analyst has of locating the source of a breach. Indicators of compromise can sometimes be quite ephemeral.

Similar to other first responders, a cybersecurity incident responder must be ready at all times to jump into action at the earliest sign of a problem. The key to a successful, versus a failed incident response, is timeliness.

Timely incident response as a business enabler

Cisco’s Security Outcomes Study addresses the topic of timely incident response. By interviewing 4,800 security professionals, the importance of timely incident response became a clear gauge, not only of security success, but also business enablement. In fact, timely incident response ranked higher than vulnerability remediation deadlines.

Average increase in probability of success - Timely Incident Response

The report emphasizes this finding, by stating succinctly:

It may seem odd at first to see incident response (IR) listed as a top business enabler. But IR isn’t just about putting out fires and cleaning up the mess. It’s ultimately about handling unexpected events with minimal impact to the business.

If you work in an environment where everything comes to a halt at the announcement of a vulnerability, and the subsequent deployment of the corrective patch, this finding is transformative. It contemplates the idea that disrupting the business operations to apply patches should perhaps take a secondary role to the ability to respond to an active exploit. This is important, as security is often seen as something that hinders the flow of business, rather than an enabling force. However, incident response, and specifically timely incident response, does not just become a new title that can be slapped onto the front door of the Security Operations Center. Incident response is a discipline, with specific phases, and approaches.

The six stages of incident response

In incident response parlance, there are six classic stages: prepare, identify, contain, eradicate, recover, and lessons learned. (It is fair to note that there are variations on this, but the general rules are all aligned along the same track.)

Which phase would you consider the most important? Consolidation to the most important is probably not the point, as that logic creates a whirlpool of conflicting interests that may be distracting towards the full goal. For instance, while preparation is a primary concern, one can never prepare for everything. The identification phase includes scoping, which is often not performed to the fullest extent that it should be, which introduces quite a number of problems, and the intentions are never realized. This becomes an exercise in circular logic, which is merely a time waster.

When you consider why a musical, or athletic performance is so transfixing, or why we all stop to watch first responders in action, it may be because we are mesmerized by the effortlessness through which these people carry out their tasks. That is the result of constant training. The most important part of incident response is reducing the dwell-time of attackers through early detection, and that, like all other aspects of the kill chain comes through practice.

Incident response is part of a complete security strategy

Timely incident response as a business enabler is surprising, and even more telling is that, among the respondents of the Security Outcomes Study, incident response also ranked highly on the list of components that contribute to a host of other progressive security initiatives, including:

  • Overall security program success
  • Creating a strong security culture
  • Managing top risks
  • Regulatory compliance
  • Security cost-effectiveness

Security, and all of IT is often considered a cost center, meaning that it does not generate revenues. However, if we look at cybersecurity as a cost-avoidance strategy, timely incident response takes on an entirely new level of importance. One of the best metrics to demonstrate that money is well-spent in an organization is through the reduction of wasted effort that is wasted. The Security Outcomes Study indicates that there is a high correlation between a successful security program via minimizing wasted effort and timely incident response.

Average increase in probability of success - Timely Incident Response

Security readiness is achieved through planning, practice, and continuous improvement. One of the newest components of a solid security program is incident response. It is important to note that disaster recovery is part of a response effort. However, as threats advance, incident response is rising as a leader towards a more complete security strategy.

Sadly, not all organizations are fully invested in the idea of the value of incident response. Nearly 40% of our interviewees designated that their organization did not embrace the importance of timely incident response. Given the other indicators in the report, we can only hope that this trend diminishes over time.

Percent of respondents who strongly agree their firm follows each security practice

Incident response is not an easy task to accomplish. Imagine if you were able reduce incident response time by up to 85% with a coordinated defense to fully expose, contain, and resolve threats and vulnerabilities. Cisco Secure Endpoint simplifies investigation allowing you to get to the root cause of the incident fast, accelerating remediation.

And what’s more, the threat response feature of Cisco SecureX leverages an integrated security architecture that automates integrations across Cisco Security products to simplify threat investigations and responses. Saving you time and effort by speeding up investigations significantly and allowing you to take corrective action immediately.

In the event you need assistance with any of the incident response stages outlined above,

Cisco’s Talos Incident Response Services can help you to achieve the readiness

that you need to move your business towards greater security performance.



Authors

Eric Hulse

Sr Reverse Engineer

Advanced Threat Solutions – AMP Threat Grid