In our highly connected business environments, the need to respond to the inevitable security breach is on the minds of every CISO.  An increasing number of organizations rely on the services of a Managed Detection and Response (MDR) provider.  According to the Cisco 2016 Annual Security Report, 42 percent of surveyed companies outsourced incident response, compared with 35% the prior year.

Contracting with an MDR service is far different then contracting logistic or facility services.  Responders will gain intimate knowledge of your business operation.  Their recommendations will have far reaching impacts into information services.

As a senior incident response analyst on the Cisco Incident Response Service team, I work with customers every day to ensure they have solid incident response readiness and response strategies. A customer-focused approach to incident response means that when we approach a customer to assist them in responding to a potential breach, we go in with an open mind listening to the needs of the customer.  We create response plans with the customer’s business obligations at the highest priority.

Responders are comrades in the battle against the cybersecurity adversary, walking alongside their client through the valley of uncertainty. Incident responders need to be more than a technical asset: they need to be a trusted partner as well.  The responder needs to appreciate their client’s business objectives.  Recommendations must balance the client’s risk tolerance with their business objectives.

The trust relationship between the incident responder and the client is a two-way street.  Responders’ recommendations will be incomplete at best if the client is not forthcoming with relevant information about business objectives and technical environment, for example.  As part of building a new business relationship with a client, the responder will require information about business operations.  For example, it is helpful to know the client’s business objectives, hierarchy of their security organization, logging capabilities, and high priority information systems.  The client’s responses to these questions will affect the success of the incident response plan.

Imagine a situation where an incident response service is brought in to perform root cause analysis and provide a recommendation for containment, eradication, and recovery from the incident.  The customer requesting the response services is not comfortable with providing a list of high priority assets due to a lack of trust with the responders.  During analysis, incident responders identify a number of assets which could have been impacted by the incident.  Since high priority assets were not communicated, it is impossible for the responders to prioritize their work flow.  As a result, incident responders may inadvertently focus on low priority assets or give inappropriate recommendations such as to take down a service needed for the business to function.

Risk mitigation and successful recovery from a cybersecurity incident is mutually beneficial.  The impacted organization wants to find the source of the incident, determine the extent of the impact, and implement controls to mitigate the incident from reoccurring.  The responders’ reputation relies heavily on their ability to deliver on those objectives.  Responders also have a genuine personal sense of responsibility to resolve the incident.  Most of us entered this field because we enjoy helping others to solve problems.  We become emotionally invested in finding the solution.

Cultivation of a relationship of trust is absolutely necessary for a successful response engagement.  It is through this relationship that we can provide a customer-focused service.  If you are interested in learning more about Cisco’s approach to helping our customers with incident response support, read “Combatting Cybercrime with an Incident Response Plan”.



Matt Aubert

Senior Incident Response Analyst