Given the rising frequency of increasingly malicious and innovative cyber-attacks, one can safely conclude that cyber risk is here to stay. It is no longer a question of ‘if’ but ‘when’ your organization will have to deal with a cyber-attack. The cost of a cyber security breach is significant—in terms of money, business disruption and reputation. Depending on the magnitude of the attack, a cyber incident can potentially put you out of business.
The best course of action for a business that is attacked is a swift and effective response. A cyber security strategy with efficient incident response (IR) capabilities coupled with customer engagement initiatives helps limit the damage and ensures that the business is up and running as soon as possible. Reaching out and engaging with customers reassures them, and helps a business that’s dealing with a cyber-attack to regain customer confidence, and prevent defection.
An effective IR strategy navigates the following phases:
Identify
Information on events is collected from various sources such as intrusion detection systems and firewalls, and evaluated to identify deviations from the normal. Such deviations are then analyzed to check if they are sufficiently significant to be termed an event. The use of automation tools ensures swift detection and eliminates delays in moving to the containment phase. Once a deviation is identified as a security incident, the IR team is immediately notified to allow them to determine its scope, gather and document evidence, and estimate impact on operations. Businesses can bolster this process by incorporating an effective security information and event management (SIEM) system into their cyber security strategy.
Contain
Once a security event is detected and confirmed, it is essential to restrict damage by preventing its spread to other computer systems. Preventing the spread of malware involves isolating the affected systems, and rerouting the traffic to alternative servers. This helps limit the spread of the malware to other systems across the organization.
Eliminate
This step focuses on the removal of the malware from the affected systems. IR teams then conduct an analysis to find out the cause of the attack, perform detailed vulnerability assessment, and initiate action to address the vulnerabilities discovered to avert a repeat attack. A thorough scan of affected systems to eradicate latent malware is key to preventing a recurrence.
Restore
In the restoration stage, affected systems are brought back into action. While bringing the affected systems back into the production environment, adequate care should be taken to ensure that another incident does not occur. Once these systems are up and running, they are monitored to identify any deviations. The main objective is to ensure that the deficiency or the vulnerability that resulted in the incident that was just resolved does not cause a repeat incident.
Investigate
This is the last step and entails a thorough investigation of the attack to learn from the incident, and initiate remedial measures to prevent the recurrence of a similar attack. IR teams also undertake an analysis of the response to identify areas for improvement.
What enterprises need now are effective cyber security solutions to monitor and provide real-time visibility on a myriad of business applications, systems, networks and databases. There has been an increasing realization that basic protection tools for important corporate information are no longer sufficient to protect against new advanced threats. Furthermore, enterprises are under tremendous pressure to collect, review and store logs in a manner that complies with government and industry regulations.
Countering focused and targeted attacks requires a focused cyber security strategy. Organizations need to take a proactive approach to ensure that they stay secure in cyber space and adopt a robust cyber security strategy.
Raghuram is a former Happiest Mind and this content was created and published during his tenure.