The most effective incident response strategy

The answer you need before a cyberincident occurs.

How can you know the most effective way to respond to a targeted attack before it occurs? Tough question, isn’t it? According to our survey, 42% of organizations do not have a clear answer to that question. Furthermore, a majority of the information security specialists who responded to the survey (63%, to be precise) could not give a clear answer either. But the answer to this question must be thought out in advance.

Wait-and-see approach

Classical information security strategy consists, for the most part, of preventive technologies and policies whose main purpose is to prevent outsiders from penetrating the information infrastructure. It works well with widespread threats. However, complex targeted attacks are sharpened to bypass that strategy. And when a cyberincident happens, everyone, including employees of IS departments, scramble to figure out how to respond.

In many cases, a business comes to the conclusion that doing nothing is the best strategy. Of course, bonuses may be lost, and orders will be issued to do whatever is necessary to prevent the recurrence of such an incident in the future (in other words — to improve preventive measures), and business will go on as before. The reason for this decision is that management is afraid of additional losses. After all, an investigation of a cyberincident may lead to stopping systems that are critical for the continuity of key business processes.

Meanwhile, in the aftermath of an attack, it is extremely important to analyze what happened, what information the attackers got, how long they stayed in your systems, and how they got there. Did they get financial credentials? Or your clients’ credit card data? Here you need to take urgent measures; otherwise, the incident will result in even greater losses.

Unified incident response process

To minimize the number of unpleasant surprises in case of a cyberincident, it is necessary to develop a process of response to complex and targeted attacks in advance. One of the new tools that can reinforce all viable strategies is an endpoint detection and response (EDR) class system. It supplements security operation centers with next gen methods such as threat hunting.

Such a system allows information security specialists to collect all of the data needed for detailed analysis from all workstations. IS specialists can remotely study the anomaly, surgically remove or block the threat, and launch recovery procedures. And they can do it in a way that is absolutely unnoticeable to users, without the need for physical access to their workspaces and without disrupting the continuity of the company’s business processes at all.

In many cases, EDR allows you to identify an incident at an early stage, when attackers have already penetrated your network but they have not caused significant damage, before they can transmit information out of your infrastructure.

However, there are a lot of EDR systems. Not all of them will suit the needs of every cybersecurity department. The right EDR solution can augment your security strategy; the wrong one can be destructive to your security processes and may even affect your system’s compliance with regulations. That is why we have prepared “A Buyer’s Guide to Investing in Endpoint Detection & Response for Enterprises 2017-2018,” a document that can help you with the choice.

More information on how to properly respond to cyberincidents can be found in our study “New Threats — New Approaches: Risk Preparedness for Protecting Against Complex Attacks.”

Details on our EDR solution, which is now in the pilot stage, are available at the Kaspersky Endpoint Detection and Response website.