Modern cybersecurity places a heavy emphasis on things like firewalls, micro-segmentation, and zero trust network access. What must be understood is that, while prevention is a legitimate objective and one very much worth pursuing, avoiding every potential incident is not possible. Therefore, how organizations respond to cyber incidents matters. Enter the Cyber Incident Response (CIR) strategy.
Among the cybersecurity strategies Hillstone Networks promotes are network detection and response (NDR) and extended detection and response (XDR). Note that in both cases, response follows detection. A sound CIR strategy can mean the difference between an inadequate response and one that completely mitigates the threat at hand.
In a nutshell, an organization’s CIR strategy serves as its roadmap for addressing cyber-attacks and mitigating their impacts. It offers a defined approach to response based on five principles:
1. Preparation
A sound CIR strategy begins with preparing for incidents before they occur. Security experts identify assets in need of protection, then prioritize those assets accordingly. An incident response plan is developed in order to create a list of policies and procedures to address each phase of an incident as it unfolds.
Preparation also includes training, testing and refining response strategies, maintaining the resources necessary to respond to incidents, and partnering with a variety of public and private sector organizations capable of enhancing an organization’s security.
2. Identification
What Hillstone Networks often refers to as detection is known in the CIR space as identification. Simply put, responding appropriately to security incidents requires identifying them for what they are. We utilize a variety of detection engines to identify suspicious activity across every level of a network or cloud environment.
Hand-in-hand with identification are reporting and escalation. All suspicious activity must be reported through the proper channels. If additional alerts or escalation are required, established criteria will determine the course of action.
3. Containment
Given that it is impossible to prevent every incident before it happens, containing identified threats is critical to CIR. Any threat, no matter how minor, should be immediately contained to prevent further spread. It can be analyzed and addressed after containment.
Containment policies may vary depending on vulnerable assets and the seriousness of detected threats. Therefore, a comprehensive CIR strategy includes policies for determining scope and threat level. Along with those policies are procedures for securing forensic data and other information that may be necessary for future investigation.
4. Elimination
The fourth principle is elimination. Once threats are identified, contained, and properly analyzed, it is time to eliminate them completely. Elimination is all about removing the root cause of the attack at hand. It could be malware, unauthorized access, improper credentials, or any other number of things.
The elimination phase often includes patching vulnerabilities to avoid feature exploits. A solid CIR strategy provides for immediate patching without delay.
5. Recovery
CIR includes recovery for the simple fact that some incidents result in damage to networks, data, business processes, and even continuity. Hopefully, an organization’s detection and response strategies are strong enough to mitigate the most serious damage. Nonetheless, any damage done must be addressed through qualified recovery plans that return the organization to normalcy.
Recovery should include a focus on minimizing both downtime and damage to an organization’s brand. Therefore, recovery is not exclusively technical. It also includes communication, reporting, etc.
Here at Hillstone Networks, we believe every organization needs a solid CIR strategy. The more comprehensive the strategy, the better an organization’s position against cyber-attacks tends to be. We invite you to learn more about how we help clients meet their CIR objectives through our state-of-the-art solutions.
