Most prevention and detection technologies and processes fail. This may sound like heresy coming from an employee of one of the largest security companies in the world, but it’s true. You just have to scan the headlines or comb through one of many industry breach reports to learn about the latest retailer whose customers’ payment cards have been stolen or a corporation whose confidential information has been dumped on PasteBin or the organization whose network had been infiltrated by a hacker for close to a year without detection.
As many before me have said, it’s not a question of “if”, but “when” your organization will be breached. Don’t get me wrong, it’s important to make sure your technical ecosystem is healthy. You need to do things like maximize your current security investments, establish baselines and monitor for anomalies, integrate intelligence, monitor holistically, and leverage automation. But just throwing technology at the problem is one sure way we can guarantee failure and continue the endless cycle of massive breaches.
Why? Because even if you do everything “right”, your organization is still run by people. And not all people have the security mindset you’d like them to have.
So what’s left? Incident Response. Rapid, accurate response is the key to minimizing the damage and cost of a breach. IR is an organized approach to addressing and managing the aftermath of a security breach or attack, often called an “incident”. Incident Response may sound like a reaction to a problem. And all too often it is. But our thinking about Incident Response must shift from a high-cost reactive approach – operating in “crisis mode” – to a more proactive, programmatic approach to Incident Response. When implemented properly, IR is a continuous improvement process applying lessons learned from past incidents to improve overall cyber security effectiveness.
But, companies often find themselves in an incident where they don’t have the right skills at all or don’t have enough people with the right skills to properly address an incident. That’s where bringing in an IR partner can make all the difference.
While there are lots of measures you can apply to what makes a strong IR partner, there are two key factors to consider:
- Expertise and Experience: It’s not quantity, but quality here. Your organization should look for a partner whose IR team has expertise and experience in working in some of the world’s largest, most complex companies and government agencies.
- Ecosystem of Integrated Security Intelligence: Your IR partner should have access to a wide variety of intelligence – on malware, attack actors, campaigns, global trends, etc. – that helps them provides a clear understanding of the depth and breadth of the particular incident they are addressing. The expertise coupled with intelligence allows them to identify the root cause and nature of the incident more efficiently in order to eradicate the threat and return to normal operations as quickly as possible.
Regardless of your industry or geography, developing an incident response program is key to protecting vital data now and as the cyber world continues to evolve into the future.