Cybersecurity incident response: Your company's ICU
Performanta CEO Guy Golan explains why incident response is the beating heart of a cybersecurity service
Surging cyberattacks have significantly elevated UK business leaders' anxiety about ransomware.
According to a new survey from Veeam Software of 100 directors of UK companies with over 500 employees, 61 per cent are anxious about the prospect of another ransomware attack.
Meanwhile 71 per cent agree their business would collapse if it suffered another attack, and 56 per cent believe another incident would force the organisation to make redundancies.
The findings highlight the urgent need for businesses to build up cyber resilience, which Performanta CEO, Guy Golan, believes lies in incident response, he writes below.
Guy Golan, CEO and co-founder, Performanta
When we are seriously ill, we seek medical care. If the situation is more serious, then we go to the intensive care unit (ICU).
There is a direct parallel between the ICU and incident response (IR) in cybersecurity.
IR springs into action when an organisation detects a system breach. The signs—the indicators of compromise— may seem small, such as a failed login to an active directory administrator account or mysterious IP numbers appearing in the logs. But like doctors evaluating symptoms, security IR experts know these are signs of potential cybercrime activity.
If the right symptoms appear, it's time for action. In cybersecurity, this means activating your incident response plan. Scan computer systems, contain threats, inform stakeholders, and get the business out of danger.
Why incident response is vital
The objective of an ICU is to keep you alive, not to get you home the next day.
That's what happens during incident response. The IR team enters the war room to stabilise the company's condition and recover from damage.
IR is complicated. It requires specialised skills to track and uncover a breach and isolate the attackers.
Think of cybercriminals as a viral infection. They will try to spread quickly while undermining the company's defences. They are as worried about being removed as being exposed. This makes IR a very intense and demanding event.
Imagine a patient with multiple injuries. You may not know what those injuries are. You may not know if there's internal bleeding, if a limb is gone, or whether they've got a brain injury. Yet you know that the patient could die if you do not deal with the situation right now.
The same applies to incident response. What was the attack? Is it ransomware? Industrial espionage? Business email compromise? How did the attackers get in? How are they staging the attacks? What are they after? What should you be protecting? IR specialists look for indicators of compromise and then help choose the necessary steps towards containment and recovery.
After treatment, the patient can move to a high-care ward for long-term recovery and strengthening. But if things go wrong, they might stay in the ICU, hooked to life support.
A bad breach is the same. In a good breach with proper incident response, it can still take months to remove all traces of the attackers. But if an organisation does not have a sufficient incident response, the damage could last years.
The cost of the breach goes up dramatically as it impacts more of the business. Even after the attackers have been isolated and stopped, the effects of a breach can linger without sufficient incident response.
There are more options when the IR teams can do their jobs. Once we know the business environment is stabilised, we shift into rehabilitation. We start recovering data from backup, applying patches, addressing discovered issues, and proactively monitoring the patient's health.
Benefits of an IR partner
Few companies maintain in-house incident response teams due to their cost and complexity. Security experts such as Performanta help get companies off life support quickly, and accelerate their remediation and rehabilitation steps. Speed and efficiency are critical: they strengthen security and reduce costs, lowering the long-term fallout of a breach.
That is the purpose of a proper incident response partner. We help plan, coordinate and deliver responses to breach incidents, recruiting from our partner networks for maximum effect. Nobody goes into ICU and takes care of themselves. They rely on a team of skilled professionals to get them out of danger.
Without that team, they might survive. But what state will they be in? Will their full health return? That is very unlikely. The consequences of an untreated breach are the same. But with the proper response and treatment, recovery can be assured. So, don't neglect your Incident Response strategy. It's a healthcare policy for your business.