InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
This is already the third and final article of our Endpoint Detection & Response (EDR) blog series. This time we will tell you how organizations can quickly and effectively remediate security incidents to return their businesses to normal operations.
The resolution of security incidents is a key piece in cyber defence. This requires the right tools to quickly and effectively contain a threat and remove it from your infrastructure.
The primary goal of any incident remediation plan is to restore operations as quickly as possible so the business can get back to revenue-creating activities. Sure, your team would prefer to investigate the incident immediately and accurately - but that's secondary. Because the core business always has priority. But of course, a precise analysis is indispensable. In the long term, it is an important component in strengthening cyber security in the long term. That's why it's essential to use a suitable tool on the one hand to meet the requirements of your core business and on the other hand to cover the needs of threat analysis.
When resolving an incident, you need to guarantee fast access to event information, user activity details, or a set of unique system artefacts. This is the only way to determine which systems, endpoints are affected by a cyber attack, or to which the attacker had access.
If an organization fails to fully scope an incident, the remediation effort may fail to eradicate an attacker’s foothold in the environment - or allow them to easily regain access if underlying vulnerabilities have not been resolved. This makes a comprehensive, detailed investigation even more important.
Do you remember our first articles on Endpoint Detection & Response? Parts one and two describe the phases of incident detection and analysis. We also showed you why a fast, adaptable toolset is needed to fully capture an incident. But what information is relevant to recovery? Below are the key points:
After you have completed the initial scoping phase of the incident, the details collected in your investigation will help you determine what needs to be remediated or removed from your environment so you can develop your remediation plan. Once this is clear and you have the necessary tools, you are ready to go. Important: The plan should consider both the short- and long-term aspects of eliminating a threat.
In the short term, it is critical to stop the threat and prevent it from spreading. The long-term challenge is to ensure that the same threat does not recur in the future or if it cannot be completely ruled out, cannot have any negative impact. Only in this way can cyber security be sustainably optimized!
There are many steps you need to take immediately after a threat occurs. These include quarantining a component (e.g. a computer) from the system, collecting key system artefacts for analysis, or temporarily suspending a user account until longer-term controls can be implemented.
Of course, these tasks are not part of normal day-to-day business. Your security team should nevertheless be able to practice the following activities on a regular basis, for example in a simulated emergency:
Of course, you could continue the list as you like. The examples are only intended to encourage you to think about which activities you need to carry out in a critical situation and which therefore need to be practised periodically.
In parallel with executing these short-term remediation tasks, it is also essential to develop and initiate long-term changes to mitigate the risk of the same incident recurring in the future. These can range from shorter patching cycles of risky systems to the development of a comprehensive approach to detection, investigation and response.
For all long-term measures, it is central that they are monitored and verified not only at the beginning but also in the future. For example, if you apply a new patch, you should be able to check later whether the patch is actually applied. You should also be able to continuously monitor accounts that have been deactivated, for example. This will allow you to ensure that they are no longer being used, for example by an attacker.
The reaction process is critical when security measures have not worked in an attack, but there is much more to do before a cyber attack even occurs. For example, you should check your patch policies regularly. Consider the following metrics:
You see - there is a lot of work even without a security incident. The simple question is: Does your current EDR solution provide you with a fast enough response to detected threats? Or even better, does it go beyond that and give you the investigative visibility you need to assess threats? Is it flexible enough to respond differently when needed?
You notice: In order to be able to protect yourself against today's cyber attacks, you need specialized tools in addition to processes and know-how. Because if your cyber security analysts are overloaded with alerts and cannot identify which alarms have priority, effective cyber defence is hardly possible. Tanium has created a solution to this problem that closes the gap between detection and response. In this way, a continuous security process can be ensured as well as reacting efficiently and effectively.
The best? InfoGuard offer you this technology exclusively as a service! Our EDR-as-a-Service is provided from the ISO 27001 certified Cyber Defence Center by experienced experts. Interested? Find out more here!
*in cooperation with Tanium