Detection and response
Suzanne Strobel

Practical recommendations and actionable steps to improve your organization’s security today

We turn to cybersecurity experts from Red Canary, Kroll, and VMware for insights on the research and practical recommendations to help organizations turn the tide.

This three-part blog series is dedicated to highlighting research uncovered in the 2021 State of Incident Response. In Part 1 we revealed security leaders’ top concerns over the last year, while Part 2 explored the real-world obstacles that are hindering progress.

Now, we turn to cybersecurity experts from Red Canary, Kroll, and VMware for insights on the research and practical recommendations to help organizations turn the tide.

Grant Oviatt, Director of Incident Response Engagements, Red Canary

“It’s jarring to hear that 93% of organizations suffered a data compromise over the past 12 months. On one hand, I think it’s an accomplishment in the security product space that organizations are instrumented in a way that they can identify data compromise in their environments, but also speaks to the continued need for third party vendors to augment internal security teams to increase effectiveness during response.”

Keith McCammon, Chief Security Officer & Co-founder, Red Canary

“The fact that such a large portion of the respondent base sees identity compromise through password-based/single-factor user credentials as a growing area of concern shows that this pain point has not been adequately addressed yet. Strong identity protection, including multi-factor authentication, remains a vital tool in slowing adversaries. It doesn’t prevent all attacks, but it would prevent an overwhelming majority.”

Stacy Scott, Managing Director, Cyber Risk, Kroll

“Many organizations prepare by conducting a tabletop exercise with a handful of stakeholders, but when faced with a real incident their front-line teams lack clarity to properly classify and declare an incident response. Organizations need to develop and enforce clear-cut escalation frameworks to avoid costly delays.”

Keith McCammon, Chief Security Officer & Co-founder, Red Canary

“Incident response is a multi-layered process, and the most important aspect of the process is a well-defined plan that includes whom to involve, when to involve them, and how.”

Grant Oviatt, Director of Incident Response Engagements, Red Canary

“If the three rules of real estate are ‘Location, Location, Location,’ the three rules of incident response are ‘Prepare, Prepare, Prepare.’ Minutes matter with incident response, so building an incident response plan and regularly practicing it at the highest levels of your organization will lead to better outcomes in the event of an actual breach.”

Eric Groce, Incident Response Manager, Red Canary

“Gone are the days of automation benefits only being realized by technical staff. Automation can drive significant efficiencies and cost savings that will benefit the entire organization.”

Justin Scarpaci, Partner Solutions Architect, VMWare

“It’s imperative to quickly identify threats during an incident and triage what’s critical and what’s not. This is where endpoint protection capabilities like Enterprise EDR and audit & remediation can go a long way, especially when data is correlated with the rest of your security stack.”

Jason Smolanoff, Global Cyber Risk Practice Leader, Kroll

“Security and risk leaders need to understand the specific risks that they are looking to transfer through cyber insurance and focus on a policy that will provide that level of coverage. That might include provisions for digital forensics, data recovery, business restoration, and replacement hardware if [the] original is encrypted and there are no decryption keys available.”

Grant Oviatt, Director of Incident Response Engagements, Red Canary

“Don’t let ‘best’ get in the way of better. If you’re having a hard time convincing your organization to ban the use of macro-enabled documents, it’s probably a core business function for your finance and accounting departments. Instead of trying to eliminate business functionality that creates cyber risk, help stakeholders mitigate their risk as a measure of improvement. Focus on using clear measures of risk to prioritize internal projects and get buy-in. Use third party providers to assess your risk and security posture, and use their findings to reinforce your position for internal change. Focus on improvement rather than eradication.”

Andrew Beckett, Cyber Risk Practice Leader, EMEA, Kroll

“Ahead of an incident, it’s important to develop an information security program that helps build a defensible narrative. Include statements like: ‘We’ve taken reasonable measures to protect our data from the threats that are most prevalent to our type of business’ and ‘If an attacker does get into our network, they would have to take extraordinary measures to bypass our security.’

Based on the findings of this research, here are 5 actionable steps organizations can take today:

1: Build a secure foundation

No organization is immune to cyber attack. Ensure the foundational security controls are in place to help you catch threat activity before it becomes a significant problem for your organization. Strong identity protection like multi-factor authentication remains vital in slowing adversaries, as it better secures the weakest link in any security organization’s posture: humans.

2: Test the process, close the gaps

Given the importance of incident response, testing the process should be of the utmost importance, especially given the significant number of respondents reportedly lacking adequate tools, having insufficient expertise on staff, and spending too much time investigating low-level alerts. Security leaders are turning to a variety of methods for assessment, but many are overlooking vital practices. Conduct incident response exercises on a regular basis, update your incident response process based on frameworks like NIST, and measure any changes in performance based on the response to actual incidents.

3: Adopt security best practices

Organizations not following best practices in their security operations aren’t setting themselves up for a high likelihood of success. While introducing best practices and formal strategies won’t automatically make an organization more secure, it will provide a clear structure and enable easier measurement of security processes’ effectiveness.

4: Build a bridge to legal counsel

Legal implications of being breached remain uncertain to many organizations, with almost half the survey respondents reporting a lack of clarity on when to engage counsel about a potential breach. By fostering collaboration between infosec and legal, organizations can eliminate this uncertainty and create an easy pathway for staff to follow to get quick answers when an attack is underway and time is of the essence.

5: Partner with third-party providers

Security leaders are increasingly recognizing the benefits of third-party partners that provide managed detection and response. With security teams inundated with alerts, adding extra people is not always the most efficient, or practical, option. Bringing on a third-party provider as a partner can have an impact across the incident response process, particularly in the areas that security leaders care about the most: improving time to containment and response to threats, augmenting in-house security expertise, and increasing automation.

***

Security teams around the globe have responded brilliantly to the unprecedented challenges they’ve faced over the past year. Unfortunately, the immense pressure that teams are under doesn’t show signs of letting up anytime soon. With one dangerous attack following the other, the time to implement improvements is now.

As we head into the second half of 2021, it’s a prime time for security teams to reevaluate their detection and response capabilities, adopt new best practices, and shore up incident response plans. In the face of budgetary and staffing constraints, this can often mean bringing in trusted partners to help fill in any gaps in resources or expertise. Third-party providers like Red Canary can help speed up containment and response to threats, augment in-house expertise, and increase automation of processes. Contact us to learn how we can help turn last year’s incident response challenges into newfound confidence for 2022.

 

The adversary’s gift: When one technique opens a Pandora’s box

 

Organizations are facing headwinds to meet cybersecurity challenges

 

The simple math behind an effective incident response program

 

500 security leaders reveal what worries them most and why

Subscribe to our blog